PayPal has revealed a data breach that exposed sensitive customer information for more than six months. The company published a detailed disclosure report on its official website. It confirmed that a coding error in its PayPal Working Capital loan application led to the exposure. The issue lasted from July 1, 2025, to December 13, 2025.
The company detected the problem on December 12, 2025. A formal written notification was sent to affected users on February 10, 2026, from its headquarters in San Jose, California.
PayPal clarified that this was not the result of an external hacking attack. Instead, the exposure was caused by an internal software defect. A code change inside the PayPal Working Capital loan application interface unintentionally allowed unauthorized third parties to access customer data.
Once discovered, the company rolled back the code change and ended the unauthorized access. PayPal also stated that no law enforcement investigation delayed the customer notification.
The exposed data includes highly sensitive personal and business information. This may include full name, email address, phone number, business address, Social Security number, and date of birth. The combination of Social Security numbers and date of birth increases the risk of identity theft and financial fraud. It can also make affected users more vulnerable to social engineering scams.
PayPal said that a small number of customers experienced unauthorized transactions. The company has refunded those users. A spokesperson stated that around 100 customers were potentially impacted.
After discovering the issue, PayPal launched a full investigation. The company terminated unauthorized system access and enforced mandatory password resets for affected accounts. Users were required to set new credentials during their next login.
As part of remediation, PayPal is offering two years of free credit monitoring and identity restoration services through Equifax Complete Premier. The package includes up to one million dollars in identity theft insurance coverage.
Affected customers must enroll using their activation code before July 31, 2026.
PayPal is advising affected customers to review their transaction history and monitor their credit reports through annualcreditreport.com.
Users can also place a fraud alert or credit freeze with the three major credit bureaus, including Equifax, Experian, and TransUnion. These services are available at no cost. The company also reminded users that it will never ask for account passwords, credentials, or one-time authentication codes through phone calls, texts, or emails.
![Mivi DuoPods Vibe Earbuds [New Launch], 60 Hours Playtime, AI-ENC for HD Calls, 13mm Drivers, IPX 4.0, BT v5.3, Made in India True Wireless Bluetooth Ear Buds](https://m.media-amazon.com/images/I/41t+S6k05XL._SL160_.jpg)
