PayPal is notifying prospects of a data breach after a software program error in a mortgage software uncovered their delicate private info, together with Social Safety numbers, for almost 6 months final 12 months.
The incident affected the PayPal Working Capital (PPWC) mortgage app, which supplies small companies with fast entry to financing.
PayPal found the breach on December 12, 2025, and decided that prospects’ names, electronic mail addresses, telephone numbers, enterprise addresses, Social Safety numbers, and dates of delivery had been uncovered since July 1, 2025.
The monetary know-how firm mentioned it has reversed the code change that brought about the incident, blocking attackers’ entry to the info in the future after discovering the breach.
“On December 12, 2025, PayPal recognized that resulting from an error in its PayPal Working Capital (“PPWC”) mortgage software, the PII of a small variety of prospects was uncovered to unauthorized people throughout the timeframe of July 1, 2025 to December 13, 2025,” PayPal mentioned in breach notification letters despatched to affected customers.
“PayPal has since rolled again the code change chargeable for this error, which probably uncovered the PII. Now we have not delayed this notification because of any regulation enforcement investigation.”
PayPal additionally detected unauthorized transactions on the accounts of a small variety of prospects as a direct results of the incident and has issued refunds to these affected.
The corporate now presents affected customers two years of free three-bureau credit score monitoring and id restoration companies by way of Equifax, which require enrollment by June 30, 2026.
Affected prospects are additionally suggested to observe their credit score experiences and their account exercise for suspicious transactions. PayPal reminded customers that it by no means requests account passwords, one-time codes, or different authentication credentials by way of telephone, textual content, or electronic mail, a standard tactic utilized in phishing assaults that always observe data breach disclosures.
Whereas PayPal has but to reveal what number of prospects had been affected, it has reset passwords for all impacted accounts and mentioned that customers will probably be prompted to create new credentials upon their subsequent login in the event that they haven’t already carried out so.
BleepingComputer reached out to a PayPal spokesperson with questions in regards to the incident, however a response was not instantly obtainable.
In January 2023, PayPal notified prospects of one other data breach after a large-scale credential stuffing assault compromised 35,000 accounts between December 6 and December 8, 2022.
Two years later, in January 2025, New York State introduced a $2,000,000 settlement with PayPal over fees that it did not adjust to the state’s cybersecurity laws, resulting in the 2022 data breach.
Fashionable IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, learn the way your workforce can cut back hidden handbook delays, enhance reliability by way of automated response, and construct and scale clever workflows on high of instruments you already use.
