PayPal has disclosed a significant security incident where sensitive customer information remained exposed for nearly six months in 2025 due to a flaw in its business financing tool. The issue has impacted users of the Working Capital loan application, revealing personally identifiable information to unauthorized parties.
Incident Details and Timeline
The vulnerability stemmed from a coding error in the PayPal Working Capital platform, aimed at providing small businesses quick financing access.
From July 1 to mid-December 2025, it enabled access to critical data including full names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth. PayPal detected the issue on December 12, 2025, and fixed it within 24 hours by reversing the faulty code.
Company Response and Mitigation
In response, PayPal notified affected customers, describing the impact as limited to a small number of users without specifying exact figures. Some accounts also faced fraudulent transactions, but the company fully reimbursed those losses.
Mitigation steps taken by the company include resetting passwords, requiring new login credentials, rolling back the software update, and providing two years of free credit monitoring via Equifax, available until June 30, 2026. Users also received advice to monitor accounts and credit reports closely.
PayPal warned against phishing, noting it never requests passwords or codes via unsolicited contacts.
Not the First Time
It’s not the first time that PayPal was involved in a security incident. In 2023, 35,000 accounts suffered from credential stuffing attacks, which ultimately led to a USD 2 million settlement in New York in January 2025 for cybersecurity lapses.
The breach was caused by internal error rather than hacking, and highlights risks in rapid software updates handling sensitive data.
Frequently Asked Questions (FAQ)
Q: What data was exposed in the PayPal incident?
A: Exposed information included full names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.
Q: How long did the exposure last?
A: The flaw persisted from July 1 until mid-December 2025, about six months.
Q: What actions did PayPal take immediately?
A: PayPal reversed the code change within 24 hours of discovery on December 12, 2025, reset passwords, and required new credentials.
Q: What support is offered to affected users?
A: Two years of free credit monitoring and identity restoration through Equifax, enrollable by June 30, 2026.
Q: Is this PayPal’s first security issue?
A: No, following a 2023 breach of 35,000 accounts and a USD 2 million settlement back in 2025.
Emman has been writing technical and feature articles since 2010. Prior to this, he became one of the instructors at Asia Pacific College in 2008, and eventually landed a job as Business Analyst and Technical Writer at Integrated Open Source Solutions for almost 3 years.
