PayPal Data Breach Working Capital: Coding Error Exposed SSNs for Six Months
A PayPal data breach tied directly to the PayPal Working Capital loan application has rattled small business owners across the United States. PayPal sent formal breach notification letters dated February 10, 2026, revealing that a software coding error inside the PayPal Working Capital (PPWC) platform left sensitive personally identifiable information exposed to unauthorized individuals for nearly six months — from July 1, 2025, through December 13, 2025. PayPal says it discovered the PayPal Working Capital data breach on December 12, 2025, and rolled back the faulty code the following day.
What the PayPal Working Capital Data Breach Exposed
The PayPal data breach affecting PayPal Working Capital applicants compromised some of the most sensitive categories of personal and business data available. The unauthorized access exposed the following information belonging to affected customers:
| Data Type Exposed | Details |
|---|---|
| Full legal name | Personal and business |
| Social Security number (SSN) | Full nine-digit SSN |
| Date of birth | Used for identity verification |
| Business email address | Tied to PPWC application |
| Business phone number | Application contact |
| Business mailing address | Physical location |
The combination of SSNs and dates of birth places affected users at elevated risk for identity theft, synthetic identity fraud, and targeted social engineering campaigns impersonating PayPal or major credit bureaus.
How the PayPal Working Capital Coding Error Happened
The PayPal data breach did not result from an external hacker breaking through firewalls or a credential-stuffing attack. A routine software update introduced a bug into the PayPal Working Capital loan application interface. That coding mistake accidentally made the private information of roughly 100 customers visible to unauthorized users — essentially leaving sensitive files in an open, publicly accessible area of the application without requiring any malicious intrusion. PayPal has since rolled back the code change and implemented enhanced security controls, requiring affected users to reset their passwords upon their next login.
Unauthorized Transactions Confirmed
The PayPal Working Capital data breach went beyond passive data exposure. A small number of affected customers reported unauthorized transactions on their PayPal accounts as a direct consequence of the incident. PayPal confirmed all affected customers have been fully refunded. The company terminated unauthorized access immediately upon discovery, reset passwords for all impacted accounts, and launched a full internal investigation. PayPal also emphasized that the breach notification was not delayed due to any law enforcement investigation.
What PayPal Is Offering Affected Customers
PayPal is providing the following remediation to all individuals affected by the PayPal Working Capital data breach:
- Two years of free three-bureau credit monitoring through Equifax Complete Premier
- Up to $1,000,000 in identity theft insurance coverage included in the Equifax package
- WebScan dark web alerts for SSN and financial account numbers
- Automatic fraud alerts via Equifax
- Enrollment deadline: July 31, 2026, using the unique activation code provided in the notification letter
Affected customers are also urged to review transaction history, pull free annual credit reports from Equifax, Experian, and TransUnion, and consider placing a fraud alert or full credit freeze with all three bureaus at no cost.
PayPal Working Capital: Who Uses It and Why This Breach Matters
PayPal Working Capital is a merchant financing product designed specifically for small business owners. It provides quick access to business loans based on PayPal sales history, making it a popular funding tool for sole proprietors and small e-commerce merchants. Because PPWC applicants submit highly sensitive financial and identity data as part of the loan application process, the PayPal data breach disproportionately impacts business owners who are especially vulnerable to business identity fraud and targeted phishing.
PayPal's Breach History: A Recurring Problem
The February 2026 PayPal Working Capital data breach is not an isolated event. In December 2022, a credential-stuffing attack exposed personal information belonging to 35,000 PayPal accounts. In January 2025, New York State announced a $2,000,000 settlement with PayPal over cybersecurity regulation violations stemming from that 2022 incident. The latest PayPal data breach involving Working Capital signals ongoing challenges in securing customer-facing application code — even when core systems remain structurally intact.
