PayPal Coding Error Exposed Social Security Numbers and Personal Data for Six Months
scsecFebruary 22, 20261 Mins read 
PayPal has disclosed a software error in its PayPal Working Capital (PPWC) platform that exposed sensitive customer data, including Social Security numbers, for nearly six months in 2025. The flaw, introduced by a coding change in the loan application platform, inadvertently allowed unauthorized access to personally identifiable information (PII) for approximately 100 customers.
The exposure lasted from July 1, 2025, to December 13, 2025, before the issue was detected on December 12 and promptly mitigated by rolling back the faulty code. PayPal emphasized that its core systems were not breached, and the incident was limited to the application layer.
Exposed information included:
- Names
- Email addresses
- Phone numbers
- Business addresses
- Dates of birth
- Social Security numbers
A small number of affected customers experienced unauthorized transactions, and PayPal issued refunds to those accounts. The exposure of sensitive data, particularly Social Security numbers and birthdates, increases the risk of identity theft, account takeover, and targeted social engineering attacks.
In response, PayPal implemented several remediation measures:
- Rolled back the code change responsible for the exposure
- Reset passwords for affected accounts
- Issued refunds for unauthorized transactions
- Offered two years of free three-bureau credit monitoring and identity restoration through Equifax
The incident underscores broader security lessons for organizations handling sensitive data:
- Strengthen change management processes with testing, peer review, and post-deployment validation for code affecting sensitive information
- Implement data minimization, tokenization, or field-level encryption for high-risk data such as Social Security numbers
- Enforce least privilege access and network segmentation to limit potential exposure
- Enhance logging, monitoring, and data loss prevention to detect anomalous access in real time
- Reinforce multi-factor authentication and user awareness to mitigate phishing campaigns that may follow breach disclosures
- Integrate application-layer exposures into vulnerability management programs and regularly test incident response plans
These measures can help limit the impact of data exposure incidents and reduce the likelihood of future breaches.
- application-layer flaw
- credit monitoring offered
- customer data security
- CVE-2026 data exposure
- cybersecurity 2026
- email address exposure
- identity theft risk
- loan application vulnerability
- PayPal data breach
- PayPal security incident
- PayPal Working Capital flaw
- personal information leak
- PII exposure
- Social Security number leak
1 Comment
Leave a Reply
Related Articles
Outdated Systems and Vulnerable Apps Leave Most Enterprises Exposed to Cyberattacks
A recent security analysis highlights a widespread problem in enterprise environments: many...
APT28 Turns Vulnerable Routers into a Global DNS Hijacking and Espionage Network
A Russia-linked cyber espionage group, widely tracked as APT28, has been connected...
Iran-Linked Hackers Disrupt U.S. Critical Infrastructure via PLC Attacks
Iran-Linked Hackers Target U.S. Critical Infrastructure via Internet-Exposed PLCs Iran-affiliated cyber actors...
Cybercrime, FBI IC3, Investment Fraud, Ransomware, Cryptocurrency Scams
FBI Reports Cybercrime Losses Nearly $21 Billion in 2025 The FBI’s Internet...
This incident highlights how a simple coding error can put highly sensitive customer data at risk for months. Even without a system-wide breach, exposed Social Security numbers and personal details can lead to identity theft and account takeover. Organizations must enforce strong change management, thorough testing, and encryption for high-risk data to prevent similar incidents. PayPal’s response, including refunds and credit monitoring, is essential but also underscores the importance of proactive security measures.