PayPal says Working Capital coding error exposed SSNs and business PII

An internal code change in PayPal’s Working Capital loan application left personally identifiable information, including Social Security numbers in some cases, accessible to unauthorized individuals for roughly six months, the company disclosed in breach-notification letters. The exposure window ran from July 1, 2025, to December 13, 2025, PayPal said, and the company detected the problem on December 12, 2025 and reversed the change the following day.

PayPal’s written notice reproduced by multiple security outlets said: “On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (‘PPWC’) loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025. PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII.” The company added in the notice, “We have not delayed this notification as a result of any law enforcement investigation.”

The data fields cited across the company notices and security reporting include names, email addresses, phone numbers, business addresses, dates of birth and, in some cases, Social Security numbers. PayPal told eSecurity Planet, “Upon learning about this unauthorized activity, we began an investigation and terminated the unauthorized access to PayPal’s systems.” PayPal also emphasized that its core systems were not breached.

PayPal has offered affected customers two years of three-bureau credit monitoring and identity restoration services through Equifax; enrollment is required by June 30, 2026, according to BleepingComputer’s reporting. The company has issued refunds to a “few” customers who experienced unauthorized transactions tied to the exposure, though it has not published a total count or dollar amount for those incidents.

A key open question remains the scale of the leak. PayPal’s notification repeatedly describes the incident as affecting “a small number of customers” and provides no firm tally. One outlet, eSecurity Planet, reported an estimate of approximately 100 potentially affected customers; security reporters and regulators will need PayPal’s breach letter filings or direct confirmation to reconcile that figure with the company’s public wording.

The incident underscores growing operational risks in fintech platforms where rapid code changes and continuous deployment can introduce data-path errors. For small businesses that use PayPal Working Capital, a product that advances funds against PayPal sales, exposure of financial identity data raises acute fraud and identity-theft risks and could depress borrower confidence in short-term online lending offerings.

Regulatory scrutiny is a likely next step. State breach-notification laws require prompt disclosure in many jurisdictions, and federal agencies including the Consumer Financial Protection Bureau monitor incidents that affect consumers’ financial data. PayPal’s February 10, 2026 letters, dated from its San Jose headquarters, came nearly two months after the company says it detected and rolled back the fault; the company’s statement that the timing was not delayed by law enforcement will not fully remove questions about timeliness under state statutes.

PayPal’s immediate remediation, rollback, investigation, refunds and paid credit monitoring, is standard industry practice, but analysts note that the long-term costs include identity-restoration claims, customer attrition and potential regulatory fines if inquiries find inadequate change-management or data-protection controls. Reporters seeking clarity should obtain PayPal’s full breach-notification letter, confirm the exact number of affected accounts, whether SSNs were stored in full or partially redacted, and whether state or federal regulators have been notified or opened investigations.