• Home
• Fin tech

PayPal has revealed that sensitive customer data was unintentionally exposed for six months due to a software flaw in its Working Capital loans application. The incident resulted in the disclosure of highly sensitive personal information, including Social Security numbers.

According to the report, the programming error — which persisted from July to December 2025 — allowed unauthorized parties to access customer data without breaching systems or bypassing security defenses. The incident highlights how software bugs can pose risks comparable to advanced cyberattacks.

The company discovered the flaw on December 12, 2025, and resolved it within 24 hours. However, approximately 100 customers had already experienced data exposure during that period. The compromised information included customer names, Social Security numbers, dates of birth, email addresses, phone numbers, and business addresses.

Security analysts warn that application logic vulnerabilities represent a particularly serious threat, as they enable access to sensitive identity data through normal user workflows, giving attackers a fast path to potential exploitation.

Although the incident affected a relatively small number of users compared to PayPal’s global base of around 434 million customers, the sensitivity of the exposed data — especially Social Security numbers — significantly amplifies the risk. The company stated that some affected users reported unauthorized transactions, all of which were fully reimbursed.

PayPal also announced it will provide two years of credit monitoring services through Equifax for impacted customers, noting that core identity data cannot be easily changed like passwords.

The incident follows a previous security breach in December 2022, when credential-stuffing attacks compromised about 35,000 accounts, leading to a $2 million settlement with the state of New York in January 2025 over cybersecurity compliance failures.