Software Error Exposes Social Security Numbers and Business Data for Nearly Half a Year
PayPal has notified customers of a data exposure incident tied to a software error in its PayPal Working Capital (PPWC) loan application, which left sensitive personal information accessible for nearly six months in 2025.
According to breach notification letters, the exposure began on July 1, 2025, and was discovered on December 12, 2025. The issue stemmed from a code change that unintentionally exposed personally identifiable information (PII) to unauthorized individuals.
What Information Was Exposed?
The affected application supports PayPal Working Capital, a financing solution that provides small businesses with streamlined access to funding. The accessible data included full names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.
In a limited number of cases, PayPal also detected unauthorized transactions directly linked to the incident and issued refunds to impacted customers. After discovering the issue, PayPal rolled back the problematic code change within 24 hours, effectively closing the exposure window on December 13, 2025.
Scope and Clarification
Following initial reporting, a PayPal spokesperson clarified that the company’s systems were not breached, approximately 100 customers were potentially impacted, and notifications were issued out of regulatory obligation in cases of possible data exposure.
While no intrusion into PayPal’s broader infrastructure occurred, the exposure of Social Security numbers and related identity data, even for a limited population, still represents material risk to affected individuals.
From a risk perspective, application misconfigurations and logic errors can carry consequences comparable to external intrusions when sensitive data becomes accessible.
Remediation and Customer Protection
PayPal has taken several steps in response:
- Reversed the code change responsible for the exposure.
- Reset passwords for all impacted accounts.
- Prompted users to create new credentials at next login.
- Issued refunds where unauthorized transactions occurred.
- Offered two years of free three-bureau credit monitoring and identity restoration services through Equifax (enrollment required by June 30, 2026).
The company also reminded users that it does not request passwords, one-time codes, or authentication credentials via phone, text, or email, a common tactic used in phishing campaigns that often follow public breach disclosures.
Historical Context
This incident follows prior security challenges.
In January 2023, PayPal disclosed that approximately 35,000 accounts were compromised during a credential stuffing attack between December 6 and December 8, 2022. In January 2025, New York State announced a $2 million settlement with PayPal over allegations that the company failed to comply with state cybersecurity regulations related to that earlier breach.
While the current event differs in nature, stemming from a software error rather than stolen credentials, it reinforces that identity data remains one of the highest-value targets in financial ecosystems.
Exposure Without Intrusion Still Carries Risk
While PayPal maintains that its systems were not breached and that only a small number of customers were affected, the incident illustrates a recurring theme in modern security: exposure does not require compromise. Software errors, particularly in applications handling identity and financial data, can create significant risk if not rapidly identified and contained.
For security leaders, the takeaway is clear. Continuous validation of code changes, proactive exposure monitoring, and rapid rollback capabilities are operational requirements in environments where identity data, financial transactions, and customer trust intersect.
As digital lending continues to scale, incidents like this are a reminder that security failures don’t always look like breaches; sometimes they look like code.
