PayPal has confirmed a data breach that exposed the personal information of about 100 customers who used its PayPal Working Capital (PPWC) loan product.
According to breach notification letters sent on February 10, 2026, the issue traces back to a routine code update made to the PPWC loan application last year.
Between July 1 and December 13, 2025, a mistake in that update left customer data accessible to unauthorized individuals.
READ: Safaricom Adds PayPal Withdrawal Feature to M-PESA App
The company says its internal security team discovered the problem on December 12 and rolled back the faulty code the following day, effectively cutting off access. That means the exposure lasted for nearly 6 months before it was detected.
The data exposed includes some of the most sensitive categories of personal information: Social Security numbers, dates of birth, full names, email addresses, phone numbers, and business addresses.
This is a combination sufficient to open fraudulent credit accounts, file false tax returns, or conduct targeted phishing attacks.
PayPal confirmed that several affected customers experienced unauthorized transactions on their accounts as a result of the breach. The company says it has refunded those transactions and reset passwords for all accounts involved.
In response to the incident, PayPal is offering affected customers two years of free credit monitoring and identity restoration through Equifax.
The service includes three-bureau credit monitoring, dark web Social Security number monitoring, fraud alerts, and up to 1 million dollars in identity theft insurance. Customers must enroll by June 30, 2026.
While PayPal has described the breach as limited in scope, its disclosures have included slightly different phrasing across communications. In a filing with Massachusetts authorities, the company said it “terminated the unauthorized access to PayPal’s systems,” while in separate public statements it indicated that its systems were not compromised.
This is not PayPal’s first major security incident. A credential-stuffing attack in 2022 compromised approximately 35,000 accounts. In January 2025, PayPal paid a $2 million settlement to the New York State Department of Financial Services over separate cybersecurity regulation violations.
An August 2025 report also highlighted claims on underground forums that PayPal login credentials were being offered for sale.
Affected customers are advised to enroll in the Equifax monitoring service, place a credit freeze with all three major bureaus, and report any suspicious account activity to PayPal immediately.
