PayPal disclosed a data breach affecting its PayPal Working Capital loan application that exposed sensitive customer information for nearly six months. The incident, discovered on December 12, 2025, occurred due to a software error that began on July 1, 2025, potentially exposing names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.

PayPal said it blocked attackers' access one day after discovery by rolling back the problematic code change. The breach notification letters revealed unauthorized transactions on some accounts, with refunds issued to affected customers. The company is offering two years of free three-bureau credit monitoring and identity restoration services through Equifax, requiring enrollment by June 30, 2026.

This marks another security incident for PayPal, which faced a $2,000,000 settlement with New York State in January 2025 over a 2022 data breach affecting 35,000 accounts. The company has reset passwords for all impacted accounts and advises users to monitor their credit reports and account activity for suspicious transactions. PayPal emphasized it never requests account passwords or authentication credentials via phone, text, or email.