PayPal Data Breach Exposed Personal Information Through Loan Application Error

What happened

PayPal disclosed a data breach caused by a software error in its PayPal Working Capital (PPWC) loan application that exposed customer personal information to unauthorized individuals between July 1 and December 13, 2025. The exposed data included names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth. PayPal discovered the issue on December 12, 2025, reversed the code change responsible for the exposure, reset passwords for affected accounts, and issued refunds for unauthorized transactions linked to the incident. The company stated that approximately 100 customers were impacted and confirmed the exposure resulted from a coding error rather than a compromise of its core systems. 

Who is affected

Customers using the PayPal Working Capital loan application whose personal and financial information was exposed due to the software error are affected, including small business users relying on PayPal financing services. 

Why CISOs should care

The incident highlights how application-level software errors can expose sensitive personal and financial data even when core infrastructure remains uncompromised, emphasizing risks associated with secure development and application deployment practices. 

3 practical actions

• Audit application code changes and deployments. Ensure code updates undergo proper security review to prevent unintended data exposure. 
• Reset credentials and monitor affected accounts. PayPal reset passwords and refunded unauthorized transactions after detecting the exposure. 
• Offer credit monitoring and identity protection services. PayPal provided affected users with two years of credit monitoring and identity restoration services.