PayPal Breach Exposed SSNs for Six Months Before Detection

PayPal notified customers of a data breach affecting its Working Capital loan product after a software error exposed sensitive personal information—including Social Security numbers—for nearly six months. The company discovered the issue on December 12, 2025, but the exposure began on July 1, 2025.

According to breach notification letters filed with Massachusetts, the incident affected approximately 100 customers. While the scale is small by data breach standards, the severity is high: exposed data included names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.

More concerning, PayPal confirmed detecting unauthorized transactions on some affected accounts "as a direct result of the incident." The company has issued refunds to those customers.

What Happened

PayPal Working Capital provides small business financing through a streamlined application process. A code change introduced on July 1, 2025, inadvertently exposed customer data through the loan application interface.

PayPal identified the issue on December 12 and reversed the problematic code change the following day—cutting off attacker access within 24 hours of discovery. But the damage was done: for 164 days, sensitive business owner data sat exposed.

The company emphasized that its core systems were not breached. This wasn't a sophisticated hack exploiting a zero-day vulnerability or an attacker pivoting through compromised credentials. It was a coding mistake that created a data leak.

Impact and Remediation

PayPal is offering affected customers two years of three-bureau credit monitoring and identity restoration services through Equifax, with enrollment required by June 30, 2026.

For the subset of customers whose accounts saw unauthorized transactions, PayPal has processed refunds and presumably reset account credentials—though the notification letters don't specify additional account security measures.

Broader Context

Software bugs causing data exposure are distressingly common. The breach pattern—inadvertent exposure through legitimate application features rather than attacker intrusion—mirrors incidents at other fintech and financial services companies. The Chipotle payroll system breach we covered followed similar mechanics: third-party software misconfiguration rather than targeted attack.

What sets this incident apart is the duration. Six months of exposure before detection suggests monitoring gaps in PayPal's data loss prevention capabilities. For a company handling financial data at massive scale, that's a long time for sensitive information to sit exposed.

The unauthorized transactions confirm the exposed data was actionable—someone used it for fraud, not just collected it for future exploitation.

Recommendations for Affected Customers

If you received a breach notification from PayPal:

1. Enroll in the credit monitoring before the June deadline
2. Review financial statements for any transactions you don't recognize
3. Consider a credit freeze if you're concerned about identity theft
4. Enable MFA everywhere — especially on financial accounts not already protected

For guidance on responding to personal data exposure, see our online safety tips.

Looking Forward

PayPal's relatively quick response once the issue was identified—fixing the code within 24 hours—shows capable incident response. The failure was in detection: six months is too long for a data exposure of this sensitivity to go unnoticed.

Organizations handling sensitive data should consider continuous monitoring for unexpected data access patterns, not just perimeter security. The attackers didn't break in; the door was left open.