PayPal is notifying customers that a software error in its PayPal Working Capital loan application exposed personal information, including Social Security numbers and dates of birth, from July 1 to December 13, 2025.
KEY FACTS
- Incident Software error in the PayPal Working Capital loan app exposed data
- Data exposed Names, emails, phone numbers, business addresses, Social Security numbers and dates of birth
- Timeframe July 1, 2025 to December 13, 2025
- Mitigation Code change rolled back and passwords reset for impacted accounts
The company discovered the exposure on December 12, 2025. In breach notification letters the company said the affected fields included names, email addresses, phone numbers, business addresses, Social Security numbers and dates of birth.
The company reversed the code change that caused the incident and blocked unauthorized access one day after discovery. Impacted accounts had passwords reset and users will be prompted to create new credentials on next login if they have not already done so.
The company detected unauthorized transactions on a small number of accounts and issued refunds to those customers. It is offering affected users two years of free three-bureau credit monitoring and identity restoration through Equifax, with enrollment required by June 30, 2026.
The company reminded customers that it never requests account passwords or authentication codes by phone, text or email and advised users to monitor credit reports and account activity for suspicious transactions.
WHY IT MATTERS
Exposure of Social Security numbers and birth dates raises the risk of identity theft. Affected customers have access to monitoring and restoration services but must enroll by the stated deadline to receive them.