PayPal Flaw Exposed Email Addresses, Social Security Numbers for 6 Months

PayPal is notifying customers after a software error in its PayPal Working Capital (PPWC) loan application exposed certain personal information, including social security numbers, for nearly six months in 2025.

Although the company said its core systems were not breached, the issue resulted in potential unauthorized access to sensitive customer data.

“Upon learning about this unauthorized activity, we began an investigation and terminated the unauthorized access to PayPal’s systems,” PayPal said in a notification letter to customers.

They added, “A few customers experienced unauthorized transactions on their account and PayPal has issued refunds to these customers.”

How a coding error exposed customer data

The incident occurred within PayPal’s Working Capital (PPWC) loan platform, a service that provides short-term financing to small businesses. According to the company, a code modification introduced into the application inadvertently exposed personally identifiable information (PII) to unauthorized individuals.

The exposure window lasted from Jul. 1, 2025, to Dec. 13, 2025, before the issue was identified. PayPal said it detected the problem on Dec.12, 2025, and rolled back the faulty code change the following day to prevent further access.

Although PayPal emphasized that its broader systems were not compromised and that approximately 100 customers were potentially affected, the data involved was sensitive. Exposed information included:

• Names.
• Email addresses.
• Phone numbers.
• Business addresses.
• Dates of birth.
• Social Security numbers.

The company also confirmed that unauthorized transactions were detected on a small number of impacted accounts and that refunds were issued.

PayPal has not publicly detailed the precise technical mechanism behind the exposure but confirmed that an application-level coding issue caused the situation. At the time of disclosure, PayPal reported that it had found no evidence that its wider infrastructure had been breached.

Because the exposed data included Social Security numbers and dates of birth, it raises the risk of targeted social engineering and account takeover attempts that use accurate personal details to bypass security checks.

What customers need to know

In response to the incident, PayPal implemented several immediate remediation measures to contain the exposure and support affected customers.

• Rolled back the code change responsible for the exposure.
• Reset passwords for impacted accounts.
• Issued refunds for unauthorized transactions.
• Offered two years of free three-bureau credit monitoring and identity restoration services through Equifax.

Beyond PayPal’s direct response, the incident highlights broader security lessons and practical controls organizations can adopt to reduce the risk of similar data exposure events.

• Strengthen change management processes by requiring testing, peer review, and post-deployment validation for updates affecting sensitive data.
• Implement data minimization, tokenization, or field-level encryption to reduce exposure of high-risk information such as Social Security numbers.
• Enforce least privilege access controls and network segmentation to limit access to sensitive systems and reduce potential blast radius.
• Enhance logging, monitoring, and data loss prevention controls to detect anomalous access to regulated data fields in real time.
• Prepare for secondary threats by reinforcing multi-factor authentication and user awareness to mitigate phishing campaigns that often follow breach disclosures.
• Integrate application-layer exposures into vulnerability management programs and regularly test incident response plans and tabletop data exposure scenarios.

Collectively, these measures help limit the blast radius of data exposure incidents while reinforcing resilient controls that reduce the likelihood and impact of future events.

Editor’s note: This article originally appeared on our sister website, eSecurityPlanet.