PayPal recently revealed that a software bug within its business loan application led to a six-month data leak involving sensitive customer details. The breach, which lasted from July to December 2025, exposed personal information such as Social Security numbers and birth dates before the company patched the error.

The security incident originated from a coding flaw in the PayPal Working Capital application, which inadvertently made private data accessible to unauthorized parties. Upon discovering the issue on December 12, 2025, the company immediately rolled back the problematic code to prevent further exposure. PayPal clarified that the delay in notifying the public was not caused by any ongoing law enforcement investigations, but rather the time needed to identify the scope of the error.

Following the discovery, PayPal initiated a comprehensive internal investigation to block further intrusion and reset passwords for those potentially affected. The company also introduced enhanced security protocols to prevent similar software-related vulnerabilities in the future. While the breach was technical in nature, a small group of users reported unauthorized transactions on their accounts, all of which have since been fully reimbursed by the company.

To assist those whose sensitive information was compromised, PayPal is providing two years of free credit monitoring and identity restoration services through Equifax. Impacted individuals are being urged to sign up for these services by the end of June 2026 to safeguard their financial identities. This proactive measure is intended to mitigate the long-term risks associated with the exposure of Social Security numbers and other permanent identifiers.

Security experts recommend that all affected customers remain vigilant by frequently reviewing their bank statements and credit reports for any signs of suspicious activity. Beyond the provided monitoring services, users are encouraged to utilize resources from the FTC to better understand how to manage fraud alerts. This incident serves as a reminder of the risks posed by internal software errors, contrasting with a previous 2023 incident where PayPal accounts were accessed through external credential stuffing attacks.

Source: PayPal Discloses Extended Data Leak Tied To Loan App Glitch