Overview
- A coding change in the PayPal Working Capital loan application on July 1, 2025 left data exposed until December 12–13, 2025, when access was detected and cut off.
- Exposed details included names, email addresses, phone numbers, dates of birth, business addresses and Social Security numbers.
- PayPal says roughly 100 customers were affected, the faulty code was rolled back, and passwords for impacted accounts were reset.
- A few customers reported unauthorized transactions tied to the incident, and PayPal states it has issued refunds to those users.
- Notification letters dated February 10, 2026 offer two years of Equifax three-bureau credit monitoring with enrollment open through June 30, 2026, as media note conflicting company statements about whether its systems were compromised and filings were submitted in Massachusetts.