PayPal Discloses Extended Data Leak Linked to Loan App Glitch

In a recent development, PayPal has revealed a six-month data breach that exposed sensitive user information due to a software error in its PayPal Working Capital loan app. The incident highlights the importance of robust cybersecurity measures and regular vulnerability assessments to prevent similar data breaches.

On December 12, 2025, PayPal discovered that a coding error in its loan application had exposed the personal information of a small number of customers to unauthorized parties between July 1 and December 13, 2025. The affected customer data included business contact details (name, email, phone number, address), along with Social Security numbers and dates of birth.

The Root Cause: A Software Bug

According to PayPal's data breach notification, the error was caused by a coding bug in its PayPal Working Capital loan application. The flaw allowed unauthorized individuals to access sensitive customer information, which has since been addressed through a code roll-back. This incident serves as a reminder of the potential consequences of software vulnerabilities and the importance of regular testing and quality assurance.

Impact on Affected Customers

PayPal has taken steps to mitigate the impact of the data breach on affected customers. These measures include blocking unauthorized transactions, resetting affected passwords, and implementing stronger security checks. The company also offers impacted users two years of complimentary credit monitoring and identity restoration services through Equifax.

Customers are advised to closely monitor their accounts, transaction history, and free credit reports for suspicious activity and report any fraud immediately. PayPal encourages customers to enroll in complimentary three-bureau credit monitoring through Equifax by June 30, 2026. The company also provides guidance on fraud alerts, free credit reports, and FTC resources to help users better protect their personal information.

A Precedent: Credential Stuffing Attacks

PayPal's previous experience with credential stuffing attacks in January 2023 is a relevant precedent for this incident. In that case, 34,942 customer accounts were compromised between December 6 and December 8, 2022, due to unauthorized access. While PayPal's systems were not breached, the incident highlighted the importance of robust cybersecurity measures and regular vulnerability assessments.

Conclusion

The PayPal data breach highlights the importance of prioritizing cybersecurity in the digital age. By detecting vulnerabilities early and taking swift action to address them, companies can prevent similar incidents from occurring. As we continue to navigate the complex landscape of online transactions and personal data protection, it is essential to stay vigilant and take proactive measures to safeguard our sensitive information.

Stay informed about the latest developments in cybersecurity by following reputable sources and industry leaders. At "Hacker Pranks", we aim to provide informative and engaging content on hacking, security research, and related topics. Follow us on Twitter: @securityaffairs and Facebook and Mastodon for the latest updates.

Keyword density:

* Hacking: 2 instances * Cybersecurity: 6 instances * Data breach: 5 instances * Malware: 0 instances (not mentioned in the original content) * Vulnerability: 3 instances * Software bug: 2 instances * Credit monitoring: 4 instances