PayPal has confirmed a data breach that compromised the personal information of its customers, resulting in fraudulent transactions. The security incident, attributed to a flaw in the PayPal Working Capital (PPWC) loan application, affected a small number of individuals over a period of nearly six months, from July 1, 2025, to December 13, 2025.
Notification letters sent to those impacted revealed that exposed data included names, email addresses, dates of birth, phone numbers, and business addresses, alongside Social Security Numbers (SSNs). The company stated that it has since rolled back the code responsible for the error and reset the passwords of the affected customers.
Despite these measures, some users experienced unauthorized transactions on their accounts prior to the resolution of the issue. According to PayPal, the company has issued refunds to these customers as part of its response to the breach. The notification submitted to authorities in Massachusetts indicated that approximately 100 customers were directly affected by this security lapse.
In a statement to the media, PayPal emphasized that its systems were not compromised, a claim that stands in contrast to the notification sent to users, which mentioned that it had “terminated the unauthorized access to PayPal’s systems” after detecting the breach. This discrepancy has raised questions about the overall security posture of the company and the clarity of its communication with customers.
As part of its ongoing commitment to security, PayPal has been proactive in addressing vulnerabilities. The company has stated its intention to enhance security measures and prevent future incidents. The incident comes on the heels of other data breaches affecting financial institutions, including a recent report from French authorities indicating that 1.2 million bank accounts were compromised.
The breach has drawn attention to the broader risks associated with online financial services and the importance of robust cybersecurity measures. As customers increasingly rely on digital platforms for transactions, the need for transparent communication and swift action in response to security threats has never been more critical.
SecurityWeek has reached out to PayPal for further clarification on the incident and its implications for customers moving forward. The evolving landscape of cybersecurity continues to pose challenges for companies and consumers alike, underscoring the importance of vigilance in protecting personal information.
