Paypal Data Breach | Customers PII Exposed

Summary

On February 20, 2026, PayPal disclosed a data breach affecting its PayPal Working Capital (PPWC) loan application, caused by a software coding error that exposed sensitive customer data to unauthorized individuals for nearly six months.

The affected period:
• July 1, 2025 – December 13, 2025 (approximately 165 days)

Exposed data includes:
• Full name
• Email address
• Phone number
• Business address
• Social Security Number (SSN)
• Date of birth

The breach disproportionately impacted small business owners and sole proprietors using the PPWC platform.

Research Source

Reporting by Cyber Press, with insights from PayPal’s disclosure, indicates that the incident resulted from a coding error in the PPWC platform, which allowed temporary unauthorized access.

PayPal confirmed that its internal systems were not compromised, and the company rolled back the erroneous code one day after discovery on December 13, 2025. Formal breach notifications were sent to affected customers on February 10, 2026.

Technical Details

The breach was not due to an external attack, but a software misconfiguration that inadvertently exposed sensitive PII.

Potential risk from the exposure:
• Identity theft
• Account takeover
• Targeted social engineering attacks
• Fraudulent financial activity

A small subset of affected customers reported unauthorized transactions, which PayPal has refunded.

Observed Attack Activity

While the breach originated from a coding error rather than a targeted attack, potential misuse of exposed information includes:

PII Exploitation
• Use of exposed SSNs and dates of birth for identity theft
• Social engineering or phishing attacks targeting affected businesses
• Account takeover attempts

Financial Impact
• Unauthorized transactions on customer accounts (limited cases)

Impact

Exposure of PPWC customer data may allow attackers to:
• Access sensitive personal and business information
• Conduct identity theft or fraud
• Exploit small business owners through phishing or account manipulation

Because the data includes high-value PII and business contact information, the breach carries elevated risk for identity theft and financial fraud.

Mitigation

PayPal’s response actions:
1. Terminated unauthorized access on December 13, 2025
2. Rolled back erroneous code change
3. Reset passwords for all affected accounts
4. Issued breach notification letters to impacted customers
5. Provided two years of Equifax Complete Premier credit monitoring and identity restoration services
• Includes daily credit reports, three-bureau monitoring, dark web alerts, and up to $1,000,000 in identity theft insurance
• Enrollment required by June 30, 2026

References

• Cyber Press: https://cyberpress.org/paypal-data-breach/
• PayPal official disclosure (February 2026)