PayPal reveals data breach in working capital loan app

PayPal has disclosed a data breach tied to a software glitch in its PayPal Working Capital (PPWC) loan application, a financing product designed for small businesses. The payments company also confirmed that some unauthorised transactions occurred in connection with the incident, though affected customers have since been reimbursed.

The company said it uncovered the problem on December 12, 2025, noting that personally identifiable information (PII) had been accessible to unauthorised parties from July 1 to December 13, 2025. The exposed data included customers’ names, email addresses, phone numbers, business addresses, Social Security numbers and dates of birth.

In notification letters to impacted users, PayPal explained that the breach resulted from an error within its PPWC loan application system. It stated that a ‘small number of customers’ had their personal information exposed during the specified time-frame due to the coding issue.

According to the company, the faulty code was rolled back and the unauthorised access blocked within 24 hours of detection. PayPal also identified suspicious transactions on certain accounts linked to the breach and issued refunds to those affected.

As part of its response, PayPal is providing two years of complimentary credit monitoring and identity restoration services through Equifax, with enrolment available until June 30, 2026. Customers were urged to review their credit reports and closely monitor account activity for any irregular transactions.

READ ALSO: Naira funds’ surge opens new wealth window as Nigerians rethink dollar bets

The company further cautioned users against phishing attempts, reiterating that it does not request sensitive information such as passwords or one-time passcodes via phone calls, text messages or email. Passwords for affected accounts have been reset, and users who have not yet updated their login details will be prompted to do so.

The disclosure comes after a previous security incident involving a credential stuffing attack that compromised about 35,000 accounts between December 6 and December 8, 2022. In January 2025, New York State reached a $2 million settlement with PayPal over alleged lapses in complying with state cybersecurity rules related to that earlier breach.

In a subsequent clarification, a company spokesperson stressed that PayPal’s core systems were not compromised in the latest incident and that roughly 100 customers were potentially affected. “When there is a potential exposure of customer information, PayPal is required to notify affected customers,” the spokesperson said, adding that the outreach was intended to ensure transparency and awareness.