PayPal coding error exposed customers’ personal data for nearly six months

PayPal disclosed that a coding error in its PayPal Working Capital loan application allowed personally identifiable information for a small group of customers to be accessible to unauthorized individuals for roughly six months, and that the company has taken steps to contain the exposure and reimburse victims.

PayPal identified the faulty code on December 12, 2025, and its disclosure says the exposure ran from July 1 through December 13, 2025. The company rolled back the change, terminated unauthorized access, reset passwords on affected accounts and issued refunds to customers who experienced unauthorized transactions. PayPal is offering two years of prepaid identity and credit monitoring plus identity restoration services, Finextra and GovInfosecurity report the monitoring will be administered through Equifax.

The data that may have been exposed includes full names, email addresses, phone numbers, business addresses, Social Security numbers and dates of birth, according to reporting that synthesizes PayPal’s notice. GovInfosecurity and WION cite an estimate that about 100 customers were affected; other outlets describe the group as a “small number” or a subset of users. PayPal’s public notice characterizes the PII as “potentially exposed” in the coding error.

PayPal’s breach notification, posted online and referenced by multiple outlets, says the company acted after spotting “unauthorized activity” and “began an investigation and terminated the unauthorized access to PayPal's systems.” The disclosure adds that the company “reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account if you have not already done so.” Reporters note PayPal discovered the error on December 12 and reversed the faulty code within about 24 hours.

The incident highlights a particular vulnerability in fintech product development: PayPal’s Working Capital program is a business-facing lending product that provides quick access to financing for small firms. GovInfosecurity noted PPWC offers up to $200,000 for first-time borrowers and $300,000 for repeat borrowers, and American Banker reported that more than half of Working Capital and PayPal Business loans go to small businesses in ZIP codes that lost bank branches during the early 2020s. For small firms dependent on fintech credit, exposure of identifying data and any resulting fraud can carry outsized operational and financial consequences.

Several reports say a few customers suffered unauthorized charges that were refunded; the precise mechanism for those transactions has not been publicly established. GovInfosecurity reported that PayPal did not immediately explain whether fraud stemmed from exposed credentials, use of exposed PII to reset accounts, or another method. That uncertainty matters for regulators and for customers assessing their own risk.

PayPal issued a breach notification in February that was posted online by BleepingComputer and drew follow-up coverage on Feb. 21 and Feb. 23. The episode is likely to renew scrutiny from state and federal regulators and underscores how software bugs, not only external hacks, can create prolonged exposures of sensitive data. For affected customers, PayPal’s combination of refunds, mandatory password resets and two years of monitoring will be the immediate relief; for the market, the incident is a reminder that rapid fintech rollouts can carry detection and control gaps with direct costs to customers and potential compliance consequences for lenders.