SQ Magazine

Smarter Insights for a Fast-Moving Digital World

Subscribe To Our Newsletter

PayPal Confirms Software Error Exposes Sensitive Data

Updated on:
Sofia Ramirez
Written By
Sofia Ramirez
Sofia Ramirez
Senior Tech Writer
Sofia Ramirez
Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps reader...
LATEST POSTS:
iPhone vs. Android Statistics 2026: Who Dominates Now?
Mobile Phone Usage Statistics 2026: What the Latest Data Reveals
Pixel 10a Brings 120Hz Display and Tensor G4 for $499
Barry Elad
Reviewed By
Barry Elad
Barry Elad
Founder & Senior Journalist
Barry Elad
Barry Elad is a seasoned journalist and analyst specializing in finance, technology, AI, and founder of SQ Magazine. He explores the world o...
LATEST POSTS:
ProShares Debuts GENIUS Act Money Market ETF IQMM
Sharplink Reaches 46% Institutional Ownership, Holds 867,798 ETH
Perplexity Abandons Advertising in Major AI Strategy Shift
As Featured In
BluehostActive CampaignDesignrushSeeking AlphaResearch Com

PayPal has confirmed that a software error in its PayPal Working Capital loan application exposed sensitive customer information, including Social Security numbers, for nearly six months.

Quick Summary – TLDR:

  • Personal data including SSNs and dates of birth was exposed from July 1 to December 13, 2025.
  • The issue stemmed from a software coding error in the PayPal Working Capital loan app.
  • Around 100 customers were potentially impacted, according to PayPal.
  • Affected users are being offered two years of free credit monitoring through Equifax.

What Happened?

PayPal disclosed that a coding error inside its PayPal Working Capital loan application left sensitive personal data accessible to unauthorized individuals for about 165 days. The company discovered the issue on December 12, 2025, and rolled back the faulty code the next day, blocking further access.

Formal notification letters were sent to affected users on February 10, 2026. PayPal stated that the delay was not due to any law enforcement investigation.

Six Months of Data Exposure

The breach affected customers who applied for financing through PayPal Working Capital, a product designed to provide small businesses and sole proprietors with quick access to loans.

According to the company’s notification, the exposed data may have included:

  • Full names
  • Email addresses
  • Phone numbers
  • Business addresses
  • Social Security numbers
  • Dates of birth

This combination of data is particularly sensitive because it creates a clear path for identity theft, account takeover attempts, and targeted phishing attacks.

In its breach notice, PayPal said:

On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (“PPWC”) loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025.

PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation.

PayPal

Unauthorized Transactions Reported

PayPal confirmed that a limited number of customers experienced unauthorized transactions as a direct result of the exposure. The company said it has issued refunds to those affected.

All impacted accounts had their passwords reset. Users who have not already updated their login credentials will be required to do so during their next sign in.

A spokesperson told Cyber Press:

When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.

PayPal Spokesperson

Notably, PayPal emphasized that its core systems were not breached and that the incident was caused by an internal software issue rather than an external hack.

Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Free Credit Monitoring Offered

To mitigate the risk, PayPal is offering affected users two years of complimentary three bureau credit monitoring and identity restoration services through Equifax. Customers must enroll before June 30, 2026, using a unique activation code provided in their notification letter.

The monitoring package includes:

  • Daily access to Equifax credit reports
  • Three bureau credit monitoring with email alerts
  • Dark web scanning for Social Security and financial account numbers
  • Automatic fraud alerts
  • Up to $1,000,000 in identity theft insurance

PayPal is also urging customers to monitor their credit reports and account activity for suspicious behavior. The company reminded users that it never asks for passwords, one time codes, or authentication credentials through phone calls, text messages, or email.

A History of Security Scrutiny

This is not the first time PayPal has faced cybersecurity challenges. In early 2023, the company disclosed that 35,000 accounts were compromised in a credential stuffing attack that occurred in December 2022.

In January 2025, New York State announced a $2,000,000 settlement with PayPal over allegations that it failed to comply with state cybersecurity regulations tied to that earlier breach.

While PayPal maintains that this latest incident was limited in scope, the exposure of Social Security numbers, even for a small group of users, raises ongoing concerns about data protection in financial technology platforms.

SQ Magazine Takeaway

Here is my honest take. When a fintech giant like PayPal says only about 100 customers were affected, that sounds small. But when Social Security numbers and dates of birth are involved, even one exposed record is serious. Small business owners rely on PayPal for fast financing. They should not have to worry about identity theft because of a coding mistake.

This incident shows that even internal software errors can create real world consequences. Companies handling financial data must treat every line of code as critical infrastructure.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News

References

  • PayPal Data Breach Notification
    • Sofia Ramirez

    Sofia Ramirez

    Senior Tech Writer

    Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

    Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

    Related Posts

    Chip Testing Giant Advantest Confirms Ransomware Attack
    Cybersecurity

    Chip Testing Giant Advantest Confirms Ransomware Attack
    ProShares Debuts GENIUS Act Money Market ETF IQMM
    Cryptocurrency

    ProShares Debuts GENIUS Act Money Market ETF IQMM
    Sharplink Reaches 46% Institutional Ownership, Holds 867,798 ETH
    Cryptocurrency

    Sharplink Reaches 46% Institutional Ownership, Holds 867,798 ETH

    Reader Interactions

    Leave a Comment

    Company
    Discover
    Categories
    Internet
    Gaming
    Technology
    Artificial Intelligence
    Cybersecurity
    Categories
    Internet
    Gaming
    Technology
    Artificial Intelligence
    Cybersecurity
    Newsletter

    Subscribe To Our Newsletter!

    Be the first to get exclusive offers and the latest news.

    Newsletter

    Subscribe To Our Newsletter!

    Be the first to get exclusive offers and the latest news.