TL;DR: A coding error in PayPal's Working Capital loan application exposed Social Security numbers, dates of birth, and business PII from July 1 to December 12, 2025. PayPal only discovered the breach when customers reported unauthorized transactions on their accounts. About 100 customers were affected. PayPal is offering two years of credit monitoring through Equifax, but you have to enroll by June 30, 2026.

How the Breach Happened

PayPal's Working Capital service offers loans to small businesses. To apply, you hand over sensitive financial information. Standard stuff for a loan application [1].

Sometime before July 1, 2025, someone at PayPal pushed a code change that broke something. That bug exposed applicants' data to "unauthorized individuals" for the next five and a half months [2].

The exposed data included:

  • Full names
  • Social Security numbers
  • Dates of birth
  • Business addresses
  • Email addresses
  • Phone numbers

Everything an identity thief needs to open credit cards, apply for loans, or file fraudulent tax returns in your name.

The Detection Failure

Here's the part that should worry you: PayPal didn't find this themselves [3].

Customers started reporting suspicious activity: unauthorized transactions, unexpected password resets. PayPal investigated and found the coding bug on December 12, 2025.

That means attackers were actively exploiting this vulnerability while PayPal's internal security monitoring saw nothing. For almost six months.

PayPal rolled back the code change on December 13, 2025, one day after discovery [4]. They also reset passwords for affected accounts and claim to have "strengthened security protocols."

But the damage was done. PayPal confirmed that some customers experienced unauthorized transactions as a direct result of the breach. Those customers were refunded.

Two Months to Tell You

PayPal discovered the breach on December 12, 2025. They sent notification letters dated February 10, 2026 [2].

That's a two-month delay between "we found a breach" and "we told affected customers." PayPal claims in their notification that they haven't delayed the notice "as a result of any law enforcement investigation" [4].

So what was the holdup?

Most state breach notification laws require companies to notify affected individuals "without unreasonable delay." Whether two months counts as unreasonable is up for debate, but for victims whose SSNs were floating around since July, every day of delay was another day of exposure.

What PayPal Is Offering

Affected customers get [4]:

  • Two years of three-bureau credit monitoring through Equifax
  • Identity restoration services
  • Refunds for any unauthorized transactions tied to the breach

Critical deadline: You must enroll in the credit monitoring by June 30, 2026. Miss it and you're on your own.

PayPal's official position is that "PayPal's systems were not compromised", despite their own notification letters acknowledging "unauthorized access to PayPal's systems" [3]. That's some creative wordsmithing.

What You Should Do

Enroll in Credit Monitoring

If you received a notification letter, use the activation code to enroll in the Equifax monitoring. Do it now. The June 30, 2026 deadline isn't negotiable.

Freeze Your Credit

Two years of monitoring is nice, but a credit freeze is better. It's free at all three bureaus (Equifax, Experian, TransUnion) and prevents anyone from opening new accounts in your name.

Monitor Your Accounts

Check your bank and PayPal statements carefully. Report any transactions you don't recognize immediately.

File an IRS Identity Protection PIN

With your SSN exposed, tax fraud is a real risk. Get an IP PIN from the IRS at irs.gov to prevent fraudulent tax returns.

Update Your PayPal Password

PayPal reset affected passwords, but change yours anyway. Use a strong, unique password you don't use anywhere else.

Watch for Phishing

Scammers now have your email, phone, and business address. Expect convincing phishing attempts impersonating PayPal, your bank, or business vendors.

The Bigger Problem

A hundred affected customers might sound small. But the real story here is about detection, or lack of it.

PayPal is one of the world's largest payment processors. They handle billions in transactions. And a coding bug exposing SSNs went unnoticed for six months until customers reported fraud.

If PayPal's security monitoring can't catch this, how confident should you be in any fintech company's ability to protect your data? Other firms have failed the same test, from credit bureau TransUnion to the wave of fintech breaches you can check yourself.

The answer is: not very. Assume your data will be breached. Act accordingly. Freeze your credit. Use unique passwords. Monitor your accounts. Don't rely on companies to protect you. They've proven they can't.

References

  1. Cybersecurity News - PayPal Data Breach Exposes SSNs and Business PII of Customers for Over Six Months (February 2026)
  2. Cybernews - PayPal breach exposed SSNs for six months (February 2026)
  3. The420.in - PayPal Data Breach: Customer Information Exposed, Passwords Reset And Unauthorized Transactions Confirmed (February 2026)
  4. Security Affairs - PayPal discloses extended data leak linked to Loan App glitch (February 2026)
  5. eSecurity Planet - PayPal Flaw Exposed Sensitive Data in Lending App for Six Months (February 2026)