PayPal software error exposes social security numbers in working capital loan app

PayPal is notifying approximately 100 customers that a software error in its PayPal Working Capital loan application exposed sensitive personal information, including Social Security numbers, for nearly six months in 2025.

The financial technology company, which operates a global digital payments platform serving consumers and businesses, identified the issue on Dec. 12, 2025. An internal review determined that personally identifiable information had been accessible to unauthorized individuals from July 1, 2025, through Dec. 13, 2025.

The incident involved the PayPal Working Capital loan app, a financing tool designed to provide small businesses with streamlined access to funding. Exposed information included customers’ names, email addresses, phone numbers, business addresses, Social Security numbers and dates of birth.

PayPal stated that the exposure stemmed from a code change in the application. The company rolled back the change within one day of discovering the issue, blocking further unauthorized access. Company officials confirmed that its broader systems were not compromised.

Notification letters sent to affected users stated that the exposure involved a small number of customers. PayPal clarified that roughly 100 individuals were potentially impacted and were contacted directly.

The company also identified unauthorized transactions on the accounts of a small number of affected customers as a direct result of the exposure. Refunds have been issued in those cases.

To mitigate potential harm, PayPal is offering two years of complimentary three-bureau credit monitoring and identity restoration services through Equifax. Enrollment in the service is available through June 30, 2026.

As part of its response, PayPal reset passwords for all impacted accounts. Customers who have not yet updated their credentials will be required to create new passwords upon their next login. The company advised users to monitor credit reports and account activity for suspicious transactions and reiterated that it does not request passwords, one-time codes or other authentication credentials via phone, text or email.

The incident marks the latest in a series of security-related disclosures involving the company. In January 2023, PayPal informed customers that a credential stuffing attack had compromised approximately 35,000 accounts between Dec. 6 and Dec. 8, 2022. In January 2025, New York state officials announced a $2 million settlement with PayPal over findings that the company failed to comply with state cybersecurity regulations in connection with the 2022 breach.

The company stated that the recent exposure did not result from a breach of its core systems but from an application-level software error that has since been corrected.