Rabat – PayPal is notifying a limited number of business customers after a software error in its PayPal Working Capital loan application exposed sensitive personal information for more than five months in 2025, including Social Security numbers (SSns) and dates of birth.
According to the company’s February 10 breach notification letter, the issue stemmed from a code error within the PayPal Working Capital app that allowed unauthorized individuals to access personally identifiable information between July 1 and December 13, 2025. PayPal said it identified the problem on December 12 and rolled back the code change responsible for the exposure.
The at-risk data included customers’ names, email addresses, phone numbers, and business addresses, in combination with SSNs and dates of birth. The company described the incident as affecting a small number of customers, confirming that some impacted accounts experienced unauthorized transactions, which were later refunded.
The company specified the breach did not involve a large-scale external intrusion into PayPal’s broader infrastructure, but rather a flaw inside the PayPal Working Capital loan system. The error effectively created a window during which unauthorized parties could access loan applicant data stored within the app environment.
Once discovered, PayPal terminated the unauthorized access, reset passwords for affected accounts, and implemented enhanced security controls requiring impacted users establish new credentials. The company stated that the notification was not delayed by any law enforcement investigation.
The exposure of SSNs elevates the severity of the incident, as they are commonly used in identity verification processes across financial institutions. In the wrong hands, such data can be leveraged for account takeovers, fraudulent credit applications, and other forms of financial abuse.
Read also: FICOBA Data Breach Affects 1.2 Million French Bank Accounts
PayPal is offering two years of complimentary credit monitoring and identity restoration services through Equifax to affected customers. The enrollment deadline for those services is July 21, 2026.
In its notice, the company advised customers to monitor account activity, review credit reports, and remain alert to suspicious communications. It reiterated that it does not request passwords or authentication codes through unsolicited calls, texts, or emails.
The incident adds to a series of security-related events affecting PayPal in 2025, though this breach was limited in scope. Last August, a dataset of 16 million PayPal credentials, including emails and passwords, was stolen.Â
The exposure underscores the risks tied to software misconfigurations and coding errors within financial technology platforms, where a single flaw can leave highly sensitive identity data accessible for extended periods before detection.

Join on WhatsApp
Join on Telegram







