PayPal has notified customers of a data breach linked to a software error in its PayPal Working Capital (PPWC) loan application, a financing tool designed for small businesses.
The company said the issue was discovered on December 12, 2025, and that personally identifiable information was exposed to unauthorized individuals between July 1 and December 13, 2025.
According to PayPal, the compromised data may have included names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.
In breach notification letters sent to affected users, the company explained that the exposure resulted from an error within the PPWC loan application.
PayPal said it rolled back the faulty code and blocked unauthorized access within a day of discovering the issue.
The firm also identified unauthorized transactions on some accounts linked to the incident and issued refunds to impacted customers.
To assist those affected, PayPal is offering two years of free credit monitoring and identity restoration services through Equifax, with enrollment open until June 30, 2026.
Customers have been advised to monitor their credit reports and account activity for suspicious transactions.
PayPal further reminded users that it does not request sensitive information such as passwords or one-time codes via phone calls, text messages, or email, warning that such requests are common phishing tactics.
The company has reset passwords for affected users and said they will be prompted to create new login credentials if they have not already done so.
The breach follows a previous credential stuffing attack that affected about 35,000 accounts between December 6 and December 8, 2022. In January 2025, New York State reached a $2 million settlement with PayPal over alleged failures to comply with state cybersecurity regulations related to that incident.
In a follow-up clarification, a PayPal spokesperson said the company’s broader systems were not compromised and that approximately 100 customers were affected.
“When there is a potential exposure of customer information, PayPal is required to notify affected customers,” the spokesperson said, adding that the notification was issued to raise awareness and provide guidance to impacted users.
