PayPal Confirms Six-Month Data Exposure Due to Loan System Error

Post Views: 9

PayPal Confirms Six-Month Exposure of Sensitive User Data

A security incident at PayPal has resulted in the exposure of sensitive information, including names, dates of birth, and Social Security numbers, for nearly six months. The breach was linked to the company’s Working Capital loan system, which provides business loans to small firms based on their account sales history.

The Breach

The issue began on July 1, 2025, when a software code change for the loan application inadvertently left sensitive details vulnerable to unauthorized access. The error went undetected until December 12, 2025, leaving a digital door open for potential exploitation. PayPal has since corrected the error and confirmed that around 100 customers were potentially impacted.

Exposed Data

The exposed data includes business addresses, Social Security numbers, full names, dates of birth, email addresses, and phone numbers. This specific combination of information is particularly concerning, as it provides scammers with the necessary details to open new accounts or send convincing fake emails to trick small business owners.

Response to the Incident

In response to the incident, PayPal sent notification letters to affected customers on February 10, 2026, and reset their passwords. Impacted users will be required to create new passwords upon their next login. Additionally, some customers reported unauthorized transactions, which PayPal has already refunded. To protect these customers in the long term, the company is offering two years of free three-bureau credit monitoring through Equifax, which must be enrolled in by June 30, 2026.

Previous Security Issues

This incident is not the first security issue faced by PayPal users. In August 2025, a hacker advertised a database containing over 15.8 million PayPal-related records for sale. Although the data likely originated from malware on users’ devices rather than a direct attack on PayPal’s servers, the scale of the leak put millions at risk. In January 2026, a security flaw in PayPal’s invoice system allowed scammers to send fake money requests with official verification, bypassing security filters.

Keven Knight, CEO of the security firm Talion, expressed concern over the handling of the incident, stating, “What is most concerning about this breach is that an organization as large and reputable as PayPal has waited two months to notify individuals about this incident. While credit monitoring has been offered, victims were left in the dark.”

Knight highlighted the long-term risks, noting that while passwords can be changed, the attacker still has access to personal data that cannot be easily updated. He added that if the issue was indeed a misconfigured system, as PayPal claims, “it’s a worrying security error. More worrying still is the fact that it went unnoticed for six months. Customers would, and should, expect better.”