107/69 Monday, February 23, 2026
PayPal has disclosed a data exposure incident stemming from a software error in its PayPal Working Capital (PPWC) platform, a business lending application. The flaw resulted in the unauthorized exposure of certain customers’ personal information between July 1 and December 13, 2025. Affected data included names, email addresses, phone numbers, physical addresses, Social Security numbers (SSNs), and dates of birth. The company detected the issue on December 12, 2025, and remediated it by removing the faulty code. PayPal stated that notification was not delayed due to any law enforcement investigation.
Following discovery of the incident, PayPal launched an internal investigation, blocked unauthorized access, reset passwords for affected accounts, and implemented additional security monitoring measures. The company acknowledged that some customers reported unauthorized transactions, which have since been reimbursed. Impacted individuals are being offered two years of free credit monitoring and identity restoration services through Equifax.
PayPal advises users to closely monitor their accounts and transaction histories, review free credit reports for suspicious activity, and promptly report any irregularities. Affected customers may enroll in credit monitoring services from all three major credit bureaus via Equifax until June 30, 2026. The company also recommends additional protective measures, such as placing fraud alerts and following guidance from agencies like the Federal Trade Commission (FTC) to safeguard personal information.
Previously, in January 2023, PayPal reported that 34,942 customer accounts were accessed without authorization due to a credential stuffing attack, which the company stated did not involve a direct breach of its internal systems.
