PayPal says a software coding error in its Working Capital loan application exposed sensitive customer information for nearly six months, affecting a small number of users and prompting account resets and credit-protection offers. According to TechRepublic reporting, this issue was publicly disclosed in February 2026 following official notifications to impacted customers.
According to the company’s account of the incident, the flaw existed from about July 1, 2025, until roughly December 13, 2025. PayPal identified the problem on December 12, 2025, and removed the offending code. The company notified affected customers publicly in early February 2026. Businessday NG confirmed the timeline and rollback details.
PayPal reports that roughly one hundred customers of the Working Capital service received breach notifications. Although that number is small compared with the platform’s global user base, the exposed records included highly sensitive personal identifiers. The company says the data may have contained names, email addresses, phone numbers, business addresses, dates of birth and, in some cases, Social Security numbers.
In certain accounts, PayPal recorded signs of unauthorized activity. The company says it refunded customers for fraudulent charges and forced password resets for impacted accounts. In its remedial steps, PayPal also rolled back the code change that allowed the exposure and required affected users to create new passwords when they next logged in. Forbes coverage notes the password resets and recovery services.
To help guard against identity theft, PayPal offered two years of free credit monitoring and identity restoration services through Equifax. Equifax was named as the provider for those protections.
PayPal characterized the incident as the result of an internal coding error tied to the Working Capital loan application, rather than a broader system intrusion or an external hack of its core payments platform. The company said it found no evidence that its main systems were maliciously compromised.
The timeline PayPal provided places the exposure squarely in the second half of 2025, with the code change active for nearly six months before rollback. The company’s public notifications to customers came later, in February 2026.
The combination of limited scope by account count and high sensitivity of the exposed fields shapes the practical risk: fewer people than in a mass breach were affected, but those individuals faced a heightened chance of identity fraud because Social Security numbers and birth dates were among the exposed items. PayPal’s refunds, forced password resets and credit-monitoring offer are standard corporate responses aimed at mitigating immediate financial loss and the longer-term consequences of identity theft.
PayPal also reminded customers of common safety practices, including that the company will not ask for passwords or verification codes by email or phone — a reminder aimed at reducing the effectiveness of phishing attempts that often follow breach disclosures.
The incident announced in February 2026 is separate from earlier reports of credential dumps that circulated in 2025. Those earlier reports involved large troves of account credentials appearing on criminal forums and were tied to credential stuffing and reuse, not to a confirmed compromise of PayPal’s systems, according to the company.
Because the exposed data included identifiers commonly used to open accounts or verify identity, security experts generally recommend that affected individuals enroll in offered credit-monitoring services, review their credit reports for suspicious activity, and consider placing a credit freeze or fraud alert if they suspect misuse. PayPal’s notification included instructions for the enrolled protections and guidance on monitoring account activity.
PayPal says it has taken corrective steps to close the vulnerability and has been working with impacted customers to repair the direct harms. The company’s disclosures do not indicate broader compromise of its core payments systems beyond the Working Capital application, and the affected user count remains near the low hundreds. Still, the presence of Social Security numbers and birth dates in the exposed dataset makes the incident significant for the people whose information was exposed.
Discover more from Aree Blog
Subscribe now to keep reading and get access to the full archive.
