TL;DR

  • PayPal's Working Capital (PPWC) loan app had a coding error that exposed customer data — including Social Security numbers — for approximately 165 days (July 1–December 13, 2025) [1].
  • Exposed data includes: full name, email, phone, business address, SSN, and date of birth — everything needed for identity theft and business fraud [2].
  • A small number of customers had unauthorized transactions on their accounts; PayPal has issued refunds and reset passwords for all affected accounts [3].
  • PayPal is offering 2 years of free credit monitoring through Equifax — but you must enrol by June 30, 2026 [3].
  • If you used PayPal Working Capital, there are four concrete steps you should take right now — covered below.

What Actually Happened With the PayPal Working Capital Breach

PayPal has formally disclosed a data breach affecting its PayPal Working Capital (PPWC) loan product — a financing tool designed specifically for small businesses seeking quick access to merchant loans. According to PayPal's official breach notification letter filed with multiple state attorneys general, a software coding error in the PPWC application interface inadvertently permitted unauthorised third parties to access customer personally identifiable information (PII) for approximately 165 days, from July 1, 2025, through December 13, 2025 [1][2].​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​

‌‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

PayPal discovered the exposure on December 12, 2025, and reversed the erroneous code change the following day. Formal written breach notification letters were sent to affected customers dated February 10, 2026 — meaning customers had no idea their data was exposed for over two months after PayPal itself discovered the issue [3].

This breach is notable for two reasons that directly affect small business owners. First, the PPWC product is exclusively used by small businesses — it is not a consumer product. Second, the combination of data exposed — SSNs, dates of birth, and business addresses together — creates what security researchers call a "high-value PII cluster": everything needed for identity theft, business credit fraud, new account fraud, and highly targeted social engineering attacks [4].​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Related: 1 in 4 Data Breaches Now Come Through Your Vendors

What Data Was Exposed — and Why Each Element Matters

The breach exposed six categories of personal and business information:

Full Name + Date of Birth + Social Security Number: This combination is the primary trifecta for identity theft. With these three data points, a fraudster can open credit lines, file false tax returns, and apply for government benefits in your name. According to the U.S. Federal Trade Commission, identity theft reports involving business-related fraud increased by 28% in 2025 [5].

Email Address + Phone Number: These enable targeted phishing and vishing (voice phishing) attacks. Expect a surge in convincing scam calls and emails from people who appear to already know your business details — because they do. According to the Verizon 2025 Data Breach Investigations Report, 61% of data breaches are initiated via stolen credentials, often acquired through phishing campaigns that use prior breach data to appear credible [6].

Business Address: Combined with the above, this allows fraudsters to register your business address for fraudulent mail, redirect correspondence, and conduct in-person social engineering targeting your employees.

The compounding effect of all six elements together is significantly more dangerous than any single piece of data. IBM's 2025 Cost of a Data Breach Report found that breaches exposing PII — particularly SSNs — result in an average cost of $4.88M for the affected organisation when factoring in regulatory fines, legal liability, and remediation [7].

Was Money Actually Stolen?

Yes — in a small number of cases. PayPal confirmed that a subset of affected customers experienced unauthorised transactions directly linked to the breach, and that the company has issued refunds to those individuals [3]. PayPal has not publicly disclosed how many customers were affected in total, citing the notification as covering "approximately 100 customers," though some sources report this figure may be understated based on the volume of state-level breach filings [2].

The fact that financial fraud occurred — not just data exposure — elevates this incident from an inconvenience to a material security event for affected businesses.

Related: 80% of Phishing Attacks Are Now AI-Powered

Why a "Coding Error" Is Actually the Hardest Breach to Detect

Most business owners assume data breaches happen because a hacker breaks in from the outside. But insider software defects — like the one that caused this breach — are categorically harder to detect and respond to, for several reasons.

Traditional intrusion detection systems (IDS) and security information and event management (SIEM) tools look for anomalous access patterns: logins from unusual locations, unusual hours, brute-force attempts. When data is exposed via a software bug in a legitimate application, the access looks completely normal because it uses the application's own legitimate credentials and workflows. The exposure is structurally invisible to conventional monitoring [8].

According to the NIST Cybersecurity Framework 2.0, application-layer vulnerabilities — including logic errors that result in unintended data exposure — represent one of the fastest-growing classes of software supply chain risk, and require separate secure code review processes distinct from perimeter security controls [9].

In simple terms: a lock on the front door doesn't help if someone accidentally left a window open from the inside.

This Isn't PayPal's First Security Incident

Context matters. This breach comes with a history. In January 2023, PayPal disclosed that 35,000 accounts had been compromised in a credential stuffing attack — where attackers used stolen username/password combinations from other breaches to gain access [3]. In January 2025, New York State's Department of Financial Services announced a $2,000,000 settlement with PayPal over that 2022 incident, citing PayPal's failure to comply with cybersecurity regulations and implement adequate controls [10].

For SMBs, the lesson is not to abandon PayPal — it remains a widely used and important payment platform — but to treat any financial services provider's security practices as something you actively verify, not passively assume.

4 Steps Every PayPal Working Capital User Should Take Now

Step 1: Enrol in PayPal's Credit Monitoring — Before June 30, 2026. PayPal is offering two years of complimentary three-bureau credit monitoring through Equifax Complete Premier, including up to $1,000,000 in identity theft insurance. You must use the activation code from your breach notification letter and enrol at equifax.com by June 30, 2026. This monitoring includes dark web scanning for your SSN and financial account numbers.

Step 2: Place a Credit Freeze — It's Free. A credit freeze with all three bureaus (Equifax, Experian, TransUnion) prevents new credit accounts being opened in your name even if someone has your SSN and DOB. It does not affect your existing accounts. Freeze and unfreeze as needed at no cost, under federal law (Fair Credit Reporting Act). This is the single most effective step against new account fraud [5].

Step 3: Check Your Accounts and Business Credit Reports. Review your PayPal transaction history immediately. Also check your business credit profile via Dun & Bradstreet (dnb.com), Experian Business, and Equifax Business — fraudsters with business PII often target business credit, not just personal.

Step 4: Watch for Impersonation Scams — They Will Come. PayPal has confirmed it will never ask for your password, one-time codes, or credentials via call, email, or text [3]. But attackers who now know your name, SSN, business address, and email will use that data to craft convincing impersonation attempts. Train yourself and any employees to verify caller identity via the official PayPal app or website before sharing any information.

FAQ

The breach specifically affects customers who used or applied for the PayPal Working Capital (PPWC) loan product — a merchant financing service designed for small businesses. Customers of standard PayPal consumer accounts, PayPal Business accounts without PPWC, or Venmo are not confirmed affected by this specific incident. PayPal's official breach notification covers only PPWC applicants whose data was exposed between July 1, 2025, and December 13, 2025.

PayPal sent formal written breach notification letters dated February 10, 2026, to all affected customers. If you used PayPal Working Capital and have not received a letter, check your registered email address for a digital notification. You can also log into your PayPal account and check the notifications/alerts section. If in doubt, contact PayPal customer support directly through the official app or paypal.com.

Not necessarily. Closing your account doesn't undo the exposure — your SSN and personal data were already seen during the breach window. The most effective actions are the credit freeze, monitoring enrolment, and vigilance against follow-on phishing. Closing the account may actually complicate refunds or breach-related support. Evaluate based on your business needs.

A credit freeze applies to your personal credit, not typically your business credit. You can unfreeze your personal credit temporarily whenever you need to apply for loans or new accounts. The process takes minutes online via each bureau's website. It is one of the most effective and lowest-cost protective measures available under federal law.

It depends on your policy. Many business owner's policies (BOP) do not cover cyber liability or identity restoration costs. Check with your insurer whether you have cyber liability coverage, and whether identity theft affecting business principals is included. This breach is a good reason to review your coverage. lilMONSTER can help you assess your cyber risk profile and coverage gaps — see below.

References

[1] PayPal, Inc., "Notice of Data Breach," Massachusetts Office of the Attorney General (Mass.gov), February 10, 2026. [Online]. Available: https://www.mass.gov/doc/2026-240-paypal-inc/download

[2] CyberPress, "PayPal Data Breach – Customers Names, SSNs, and Dates of Birth Exposed," CyberPress, February 2026. [Online]. Available: https://cyberpress.org/paypal-[data-breach](https://lil.business/blog/trizetto-vendor-breach-dwell-time-smb-security-checklist-2026/)/

[3] BleepingComputer, "PayPal discloses data breach that exposed user info for 6 months," BleepingComputer, February 20, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/paypal-discloses-[data-breach](https://lil.business/blog/privacy-first-cybersecurity-2026/)-exposing-users-personal-information/

[4] Cryptika, "PayPal Data Breach Exposes SSNs and Business PII of Customers for Over Six Months," Cryptika Cybersecurity, February 2026. [Online]. Available: https://www.cryptika.com/paypal-data-breach-exposes-ssns-and-business-pii-of-customers-for-over-six-months/

[5] U.S. Federal Trade Commission, "Consumer Sentinel Network Data Book 2025," FTC, 2026. [Online]. Available: https://www.ftc.gov/reports/consumer-sentinel-network

[6] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[8] CISA, "Application Security and Software Assurance," U.S. Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/topics/cybersecurity-best-practices/application-security

[9] NIST, "Cybersecurity Framework 2.0," National Institute of Standards and Technology, 2024. [Online]. Available: https://www.nist.gov/cyberframework

[10] New York State Department of Financial Services, "PayPal Consent Order and Settlement — $2,000,000 Penalty," NYDFS, January 2025. [Online]. Available: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202501_paypal

Is your business exposed through the tools you use every day? lilMONSTER helps small businesses map their digital exposure, close the gaps, and build resilience that actually holds. Book a free consultation →

TL;DR (The Short Version)

  • PayPal accidentally left a window open in their business loan app for 5 months — anyone who knew the right way to look could see your private data.
  • Your name, phone, business address, Social Security number, and birthday may have been exposed.
  • Some people had money taken from their accounts. PayPal gave refunds.
  • You can get 2 years of free credit protection from PayPal — but you need to sign up before June 30, 2026.
  • Four things you should do right now (they take 30 minutes, they're all free, and they make a real difference).

Let's Start With a Simple Analogy

Imagine your business keeps a filing cabinet with all its important documents — contracts, bank statements, your Social Security card. Now imagine a staff member accidentally propped the filing cabinet door open for 5 months without realising. Anyone who walked by could look inside.

That's basically what happened with PayPal's Working Capital loan app. It wasn't a dramatic movie-style hack. There was no sinister hacker who cracked a secret code. A programmer made a mistake in the software, and that mistake left a door open. PayPal found the open door on December 12, 2025, and closed it the next day. But it had been open since July 1, 2025 — that's 165 days.

What Is PayPal Working Capital?

PayPal Working Capital is a loan product that PayPal offers specifically to small businesses. If you sell things through PayPal and need cash quickly, you can borrow money and repay it through a portion of your future sales. It's popular with small business owners, online sellers, and sole traders.

The people affected by this breach are small business owners who applied for or used this loan product. Regular PayPal consumer accounts were not part of this specific breach.

What Information Was in That "Filing Cabinet"?

The exposed information included:

  • Your full name and business address — straightforward to find anyway, but now confirmed accurate
  • Your email address and phone number — this is how scammers will reach you next
  • Your Social Security number (SSN) — this is the sensitive one. With an SSN plus your name and birthday, someone can pretend to be you and open credit accounts or file tax returns
  • Your date of birth — the final piece of the identity puzzle

Think of your SSN + name + birthday as a master key to your financial identity. Individually, each piece is just information. Together, they're a key that opens doors you really don't want opened.

Did Anyone Actually Use This Information?

Yes — for a small group of customers. PayPal confirmed that some customers had unauthorised transactions on their accounts as a direct result of this breach. PayPal issued refunds to those people. PayPal also reset passwords for all affected accounts.

The Good News: PayPal Is Offering Free Protection

PayPal is offering 2 years of free credit monitoring through Equifax — one of the three major credit agencies in the US. This service:

  • Watches all three credit bureaus (Equifax, Experian, TransUnion) for suspicious activity
  • Scans the dark web for your Social Security number
  • Sends alerts if anyone tries to open an account in your name
  • Includes up to $1,000,000 in identity theft insurance

You need to enrol using the activation code from your breach notification letter before June 30, 2026. Check your email and mail for a letter from PayPal dated around February 10, 2026.

4 Things to Do Right Now (All Free, Takes 30 Minutes)

1. Sign up for the free credit monitoring. Use the Equifax activation code from PayPal's letter. This is free and adds a significant layer of protection.

2. Freeze your credit. This is the big one. A credit freeze tells the credit bureaus: "Don't let anyone open a new account in my name." It doesn't affect your existing accounts or credit score. You can freeze and unfreeze online whenever you need to. It's free by law. Do this at all three: Equifax.com, Experian.com, and TransUnion.com.

3. Check your PayPal account and your business credit profile. Look at your PayPal transaction history for any payments you didn't make. Also check your business credit via Dun & Bradstreet (dnb.com) — fraudsters sometimes target business credit, not just personal.

4. Be on alert for very convincing scam calls and emails. Scammers will now have your name, SSN, business address, and email. They will use this to sound like they already know you — because they do. Anyone calling and claiming to be PayPal, your bank, or the IRS who asks for a password or code is a scammer. Hang up. Call back on the official number from the website.

How to Keep Your Business Safe Going Forward

This breach happened because of a software mistake at PayPal — not because you did anything wrong. But it's a useful reminder that your business data lives in many places: your payment platform, your accounting software, your bank, your phone. Knowing what data is where — and what to do if one of those systems leaks — is exactly the kind of resilience that protects your business without requiring a big IT budget.

That's what lilMONSTER specialises in. We help small businesses understand their actual exposure, not just tick compliance boxes. A 30-minute conversation often reveals the gaps — and the fixes are usually simpler than you think.

Want to know what data your business is exposing through the platforms you use every day? Book a free consult with lilMONSTER →

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation