PayPal Confirms Data Breach Exposing User Information for Six Months

PayPal Data Breach Exposes Sensitive User Data

A software glitch in PayPal’s Working Capital loan application exposed sensitive user data for nearly six months in 2022.

Incident Details

The incident, which was discovered on December 12, 2025, affected a small number of customers and included the exposure of names, addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.

The breach occurred between July 1, 2025, and December 13, 2025, and was caused by an error in the loan application’s code. PayPal reversed the code change on December 13, 2025, effectively blocking unauthorized access to the exposed data.

Impact and Response

In addition to the data exposure, PayPal detected unauthorized transactions on a small number of affected accounts and has since issued refunds to those customers.

The company is offering two years of free credit monitoring and identity restoration services through Equifax to impacted users, who must enroll by June 30, 2026.

PayPal has also reset passwords for all affected accounts and will prompt users to create new credentials upon their next login.

Previous Breaches

This incident marks the second major data breach disclosed by PayPal in recent years.

In January 2023, the company notified customers of a large-scale credential stuffing attack that compromised 35,000 accounts between December 6 and December 8, 2022.

In January 2025, New York State announced a $2 million settlement with PayPal over charges that it failed to comply with the state’s cybersecurity regulations, leading to the 2022 data breach.

Notification and Advice

PayPal has not disclosed the exact number of customers affected by the latest breach.

The company has notified impacted users and is advising them to monitor their credit reports and account activity for suspicious transactions.

About Author

Vaibhav

See author's posts