PayPal recently disclosed a data breach that affected customers’ personal information and led to fraudulent transactions.
Notification letters sent to impacted individuals revealed that the cybersecurity incident was caused by an error in the PayPal Working Capital (PPWC) loan application.
Due to the error, the personal information of a “small number of customers” was exposed for nearly six months, between July 1 and December 13, 2025.
Exposed information included names, email addresses, dates of birth, phone numbers, and business addresses combined with SSNs.
The code that had introduced the error was rolled back and the affected customers’ passwords were reset. However, the vulnerability was exploited before it was patched.
“A few customers experienced unauthorized transactions on their account and PayPal has issued refunds to these customers,” PayPal said in its notification, a copy of which was submitted to authorities in Massachusetts.
In a statement to the media, PayPal said it notified the roughly 100 customers affected by the incident, but noted that its “systems were not compromised.”
This contradicts the official notification to affected users, which states that it “terminated the unauthorized access to PayPal’s systems” after detecting the breach.
SecurityWeek has reached out to PayPal for clarification.
Related: French Government Says 1.2 Million Bank Accounts Exposed in Breach
Related: PayPal Phishing Campaign Employs Genuine Links to Take Over Accounts
Related: Malicious NPM Packages Target Cryptocurrency, PayPal Users
