PayPal has officially confirmed a security incident that left the private information of some users exposed for nearly half a year. For your information, this issue was specifically linked to the PayPal Working Capital (PPWC) service, which offers business loans to small firms based on their account sales history.
What happened and when?
The trouble began back on 1 July 2025, after a change in the software code for the loan application accidentally left sensitive details open to view. This error went unnoticed until 12 December 2025, which means unauthorised individuals possibly had access for nearly six months.
While the company’s main security vault remained safe, this internal code change effectively left a digital door unlocked. PayPal has since fixed the error, and a spokesperson confirmed that around 100 customers were potentially impacted.
What information was involved?
Reportedly, the number of people affected is small; however, the data involved is quite sensitive, which includes:
- Business addresses.
- Social Security numbers.
- Full names and dates of birth.
- Email addresses and phone numbers.
As we know it, having this specific mix of details stolen is a cause of significant concern because it gives scammers exactly what they need to open new accounts or send very convincing fake emails to trick small business owners.
How is PayPal responding?
PayPal officially sent out notification letters (PDF) on 10 February 2026 to everyone affected, and reset the passwords for these accounts, so impacted users will have to create a new one the next time they log in.
Additionally, a few people noticed transactions they didn’t make, and PayPal has already issued full refunds to those individuals. To protect these customers in the long term, the company is offering two years of free three-bureau credit monitoring through Equifax. This service checks your credit history across all major agencies to spot any suspicious activity. If you were affected, you must enrol for this by 30 June 2026.
A Recurring Issue with PayPal
This code error is just one of several issues PayPal users have faced recently. Hackread.com has tracked several other instances where the platform has struggled with security.
In August 2025, a major database containing over 15.8 million PayPal-related records was advertised for sale by a hacker known as Chucky_BF. While this data likely came from malware on users’ own devices rather than a direct hit on PayPal’s servers, the scale of the leak put millions at risk.
Then, in January 2026, a security flaw in PayPal’s own invoice system allowed scammers to send fake money requests with an official blue tick verification, bypassing many of the usual security filters people rely on.
Expert perspective
Commenting on the situation, Keven Knight, CEO of the security firm Talion, shared an exclusive take with Hackread.com. He expressed concern over how the incident was handled, noting:
“What is most concerning about this breach is that an organisation as large and reputable as PayPal… has waited two months to notify individuals about this incident. While credit monitoring has been offered, victims were left in the dark.”
Knight further probed the long-term risks, pointing out that while passwords can be changed, the attacker still has access to personal data that cannot be easily updated. He added that if the issue was indeed a misconfigured system, as PayPal’s claims suggest, “it’s a worrying security error. More worrying still is the fact that it went unnoticed for six months. Customers would, and should, expect better.”
Deeba Ahmed
