PayPal leaked sensitive data for six months due to software error

PayPal is warning customers about a data breach that leaked personal data for six months. The leaked data includes social security numbers.

The software error occurred in the PayPal Working Capital application, an app that allows small businesses to easily take out a business loan. The leak occurred between July 1, 2025, and December 13, 2025. In addition to names and email addresses, phone numbers, business addresses, social security numbers, and dates of birth were also compromised.

PayPal discovered the leak on December 12, 2025, and withdrew the responsible code one day later. This blocked further access to the data. “PayPal has since reversed the code change that caused this error, which may have exposed personal data. We did not delay this notification due to a law enforcement investigation,” the company stated in a message to affected users.

Unauthorized transactions

The platform also detected unauthorized transactions on a limited number of accounts as a direct result of the data breach. Affected customers received refunds.

The company further states that the breach was limited to a small group, but the exact number of affected customers is unknown. As compensation, the American payment platform is now offering affected users two years of free credit monitoring and identity restoration services through Equifax. These services require registration before June 30, 2026.

PayPal advises customers to monitor their credit reports and active accounts for suspicious activity. The company reminds users that it never asks for passwords, one-time codes, or other authentication details by phone, text message, or email. This approach is common in phishing attacks, which typically follow the disclosure of data breaches.

PayPal has reset the passwords of all affected accounts. Users will be asked to create new login details the next time they log in, if they have not already done so.

Leaked data remains in circulation for a long time

Although PayPal does not have a high number of incidents, the consequences of a previous leak lingered for a long time. In 2022, some 35,000 accounts were compromised by a large-scale credential stuffing attack. Three years later, a dataset containing login details for 15.8 million PayPal accounts appeared on the dark web. PayPal stated at the time that the data was related to the credential stuffing incident in 2022 and not to a new leak.

PayPal leaked sensitive data for six months due to software error

Unauthorized transactions

Leaked data remains in circulation for a long time

Stay tuned, subscribe!

Google launches Gemini 3.1 Pro, an LLM for complex reasoning

Review ASUS NUC 15 Pro: brings computing power to impossible places

Cisco builds its own VMware hypervisor alternative, release imminent

Basware: SAP migrations fail due to Accounts Payable issues

How Capgemini transformed HR for 400,000 employees globally

"Not all clouds are created equal" in the AI era: how is OCI different?

Why Salesforce built three levels of AI commerce agents

Why SAP says best-of-breed software era is over

4 steps to create a future-proof data infrastructure

Secure networking: the foundation for the AI era

Why AI adoption requires a dedicated approach to cyber governance

Professional print materials for European tech events, why booth design still makes the difference

Appdevcon

Webdevcon

Dutch PHP Conference

De IT Afdeling van de toekomst

GITEX ASIA 2026

Southeast Asia AI Application Summit 2026

Experience Synology’s latest enterprise backup solution

How to choose the right Enterprise Linux platform?

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices