PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

PayPal has confirmed a data exposure incident affecting its Working Capital (PPWC) business loan service, where a software code change left sensitive customer information accessible for nearly six months before being detected.

The exposure ran from 1 July 2025 to 12 December 2025, when the error was finally discovered and remediated. Approximately 100 customers were impacted, though the sensitivity of the exposed data makes this far more significant than the headcount suggests.

What Was Exposed

The code change in the loan application system inadvertently exposed:

• Social Security numbers
• Full names and dates of birth
• Business addresses
• Email addresses and phone numbers

This combination of personally identifiable information provides everything needed for identity fraud — opening new financial accounts, applying for credit, or crafting highly targeted social engineering attacks against small business owners.

PayPal confirmed that its core security infrastructure was not compromised. The exposure was caused by an internal application-level error rather than an external breach.

Unauthorized Transactions Confirmed

Some affected customers reported unauthorized transactions on their accounts. PayPal has issued full refunds in those cases and reset passwords for all impacted accounts, requiring users to create new credentials at next login.

Notification letters were sent on 10 February 2026 — two months after the issue was discovered. The company is offering two years of free three-bureau credit monitoring through Equifax, with an enrollment deadline of 30 June 2026.

Six Months Undetected

The most concerning aspect of the incident is the detection timeline. A code change in a production loan application system exposed Social Security numbers for 164 days before anyone noticed. For a financial services company of PayPal's scale, this raises serious questions about internal monitoring, code review processes, and data access auditing.

Security experts have criticized both the detection gap and the two-month notification delay. While passwords can be reset, the exposed personal data — Social Security numbers, dates of birth — cannot be changed, leaving affected users with permanent elevated risk.

Part of a Pattern

This incident follows a series of security issues affecting the PayPal platform. In August 2025, a database containing over 15.8 million PayPal-related records was advertised for sale on cybercrime forums. In January 2026, a vulnerability in PayPal's invoice system allowed scammers to send fraudulent payment requests with verified blue-tick badges, bypassing trust indicators that users rely on to identify legitimate communications.

Defender Recommendations

• Affected users should enroll in the Equifax credit monitoring immediately — do not wait until the June 2026 deadline
• Place fraud alerts or credit freezes with all three bureaus as an additional precaution
• Monitor for targeted phishing — the exposed data enables highly convincing social engineering specifically targeting small business owners
• Review PayPal account activity for any unrecognized transactions dating back to July 2025
• Organizations using PPWC should audit their own access logs and verify no downstream exposure of business data occurred