PayPal says coding error exposed SSNs and DOBs for months in Working Capital app

PayPal disclosed that a coding error in its PayPal Working Capital loan application left personally identifiable information for a small group of customers accessible to unauthorized individuals from July 1, 2025 until mid-December 2025, the company said in breach notifications and in reporting by multiple outlets. The exposed data reportedly included full names, email addresses, phone numbers, business addresses, Social Security numbers and dates of birth.

Securityaffairs, which published PayPal’s breach-notification language on Feb. 20, quoted the company directly: “On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (‘PPWC’) loanapplication, the PII of a small number of customers was exposed to unauthorized individuals during thetimeframe of July 1, 2025 to December 13, 2025. PayPal has since rolled back the code change responsiblefor this error, which potentially exposed the PII.” The disclosure follows reporting in LinkedIn, Geo TV, Marca and The News International between Feb. 20 and Feb. 21.

Marca quoted a PayPal spokesperson saying the company contacted “the approximately 100 customers who were potentially impacted to provide awareness on this matter,” and added: “When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal's systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.”

There are discrepancies in the published timeline and in claims about how the information was accessed. Several outlets say PayPal discovered the issue on Dec. 12, 2025 and acted quickly to reverse the change; LinkedIn summarized the company’s action as discovering the issue on Dec. 12 and acting within 24 hours to reverse the faulty code change and block further unauthorized access. Securityaffairs’ copy of the breach text includes Dec. 13 as the final date of potential exposure. Geo TV reported that breach-notification letters were dated Feb. 10 and that impacted users were emailed earlier in February.

Geo TV additionally reported that “notorious malware accessed information related to PayPal Working Capital (PPWC) loan applications,” and said some customers had reported unfamiliar transactions on their accounts. That characterization is not corroborated in other outlets’ excerpts and Marca cites PayPal as saying its broader systems were not compromised. Reporting differs on whether password resets were forced or urged; Geo TV said users were urged to reset passwords and some pieces referenced password resets, but none of the available excerpts provide a firm count of resets.

Security and consumer advocates say exposure of Social Security numbers and dates of birth is particularly dangerous because those data points are keys to identity fraud. Financial and small-business customers who used PayPal’s Working Capital product should consider enrolling in credit monitoring, placing fraud alerts or freezes, and changing passwords across financial accounts, counsel published reports.

PayPal’s public statements in news excerpts emphasize a software code change as the root cause and a rollback as remediation. Questions remain about the exact number of impacted customers, whether personal data were exfiltrated, whether any refunds or reimbursements were issued and whether external malware was involved. Publications covering the disclosure called the incident a reminder of the stakes for fintech risk controls and of the regulatory scrutiny that can follow prolonged exposures. Securityaffairs’ account was published Feb. 20, 2026; additional coverage appeared Feb. 21, 2026 in LinkedIn, Geo TV and other outlets.