PayPal is notifying customers after a software error in its PayPal Working Capital loan application exposed sensitive personal information for nearly six months in 2025.
The issue was discovered on December 12, 2025. According to the company, the error caused the personal data of a small number of customers to be visible to unauthorized individuals between July 1 and December 13, 2025. The exposed information included names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.
PayPal said the problem was caused by a code change in the PayPal Working Capital loan app, which helps small businesses access financing. The company rolled back the faulty code within a day of discovering the issue, blocking any further access to the data.
In notification letters sent to affected users, PayPal stated that it did not delay informing customers because of any law enforcement investigation. The company also confirmed that it reset passwords for all impacted accounts. Users who have not yet changed their credentials will be asked to create new ones the next time they log in.
PayPal detected unauthorized transactions on a small number of affected accounts and has already issued refunds. To support customers, the company is offering two years of free credit monitoring and identity restoration services through Equifax. Those affected must enroll in the service by June 30, 2026.
Customers are being urged to review their credit reports and monitor their accounts for suspicious activity. PayPal also reminded users that it does not ask for passwords, one-time passcodes, or other login credentials by phone, text message, or email, warning that phishing attempts often increase after breach notifications.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
After initial reports described the incident as a data breach, a PayPal spokesperson clarified that the company’s systems were not hacked. Instead, the exposure was due to an internal error. The spokesperson said around 100 customers were potentially impacted and were contacted directly.





