PayPal breach exposed user data six months, Social Security numbers & unauthorized charges
PayPal disclosed a data breach involving its Working Capital loan app for small businesses. A software error tied to a code change led to an unauthorized exposure of customer data for nearly six months, from July 1 to December 13, 2025, including names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.
PayPal identified the breach on December 12, 2025 and rolled back the code change within a day to block further access. The company said roughly 100 customers may have been impacted, and it even detected unauthorized transactions on a small number of affected accounts. PayPal refunded those transactions and reset passwords for impacted users, requiring new credentials at the next login if not already updated.
PayPal is offering two years of free three bureau credit monitoring and identity restoration through Equifax, with enrollment due by June 30, 2026. It advised customers to monitor credit reports and account activity, and warned that it does not request passwords or one time codes by phone, text, or email as phishing attempts often follow breach disclosures.
- Money Transfer Service
- Free Personal
- Proprietary
Related news
External links
- PayPal discloses data breach that exposed user info for 6 monthsBleeping Computer
- PayPal breach went undetected for six months, exposing Social Security numbersCybernews
- PayPal app code error leaked personal infoThe Register
- PayPal Data Breach Confirmed—Money Was Stolen, Passwords Now ResetForbes
- PayPal Data Breach Exposes SSNs and Business PII of Customers for Over Six MonthsCyber Security News
Comments
If PayPal didn't detected the bug for more than 5 months, the transactions have certainly been very low amounts or on very few accounts.
But maybe nobody use PayPal anymore, as it was mostly used on eBay. (Ah, the 2000s era...)