PayPal discloses data breach that exposed user info for 6 months
Bleeping Computer
by Sergiu GatlanFebruary 20, 2026
AI-Generated Deep Dive Summary
PayPal has revealed a data breach that exposed sensitive personal information of some customers through a software error in its PayPal Working Capital (PPWC) loan application. The breach occurred over nearly six months, from July 1, 2025, to December 13, 2025, and affected a small number of users whose details, including names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth, were exposed. PayPal identified the issue on December 12, 2025, and swiftly reversed the problematic code change the following day, blocking unauthorized access to the data. The company has also reset passwords for all impacted accounts and is requiring users to create new credentials upon their next login.
The breach occurred in the PPWC loan app, which provides small businesses with quick access to financing. While PayPal clarified that its systems were not breached, the exposed data was due to a specific error in the loan application process. Affected customers have been notified through breach notification letters and are being offered two years of free three-bureau credit monitoring and identity restoration services through Equifax, which must be enrolled by June 30, 2026. PayPal has also detected unauthorized transactions on a small number of accounts and issued refunds to those affected.
This incident highlights the importance of secure coding practices and prompt response to potential data exposures. While the breach did not involve a
Verticals
securitytech
Originally published on Bleeping Computer on 2/20/2026