PayPal Says Highly Sensitive Customer Data Exposed To ‘Unauthorized Individuals’ for Six Months, Triggering Unauthorized Transactions

The payments giant PayPal says a cybersecurity incident left highly sensitive customer information exposed for around six months.

In a data breach notice submitted to the Commonwealth of Massachusetts, PayPal says it’s resetting affected customers’ passwords and issuing refunds to accounts with unauthorized transactions.

“On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (“PPWC”) loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025.

PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII.”

According to PayPal, the stolen data may include customers’ business contact details, including names, email addresses, phone numbers, business addresses, Social Security numbers and dates of birth.

In an update sent to BleepingComputer, PayPal specifies that its systems were not hacked, and dozens of customers are impacted.

“In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.”

PayPal says it’s offering affected customers two years of free credit monitoring and identity restoration services through Equifax.

Generated Image: Midjourney

The post PayPal Says Highly Sensitive Customer Data Exposed To ‘Unauthorized Individuals’ for Six Months, Triggering Unauthorized Transactions appeared first on The Daily Hodl.