PayPal Coding Error Exposed Social Security Numbers and Personal Data for Six Months
scsecFebruary 22, 20261 Mins read 
PayPal has disclosed a software error in its PayPal Working Capital (PPWC) platform that exposed sensitive customer data, including Social Security numbers, for nearly six months in 2025. The flaw, introduced by a coding change in the loan application platform, inadvertently allowed unauthorized access to personally identifiable information (PII) for approximately 100 customers.
The exposure lasted from July 1, 2025, to December 13, 2025, before the issue was detected on December 12 and promptly mitigated by rolling back the faulty code. PayPal emphasized that its core systems were not breached, and the incident was limited to the application layer.
Exposed information included:
- Names
- Email addresses
- Phone numbers
- Business addresses
- Dates of birth
- Social Security numbers
A small number of affected customers experienced unauthorized transactions, and PayPal issued refunds to those accounts. The exposure of sensitive data, particularly Social Security numbers and birthdates, increases the risk of identity theft, account takeover, and targeted social engineering attacks.
In response, PayPal implemented several remediation measures:
- Rolled back the code change responsible for the exposure
- Reset passwords for affected accounts
- Issued refunds for unauthorized transactions
- Offered two years of free three-bureau credit monitoring and identity restoration through Equifax
The incident underscores broader security lessons for organizations handling sensitive data:
- Strengthen change management processes with testing, peer review, and post-deployment validation for code affecting sensitive information
- Implement data minimization, tokenization, or field-level encryption for high-risk data such as Social Security numbers
- Enforce least privilege access and network segmentation to limit potential exposure
- Enhance logging, monitoring, and data loss prevention to detect anomalous access in real time
- Reinforce multi-factor authentication and user awareness to mitigate phishing campaigns that may follow breach disclosures
- Integrate application-layer exposures into vulnerability management programs and regularly test incident response plans
These measures can help limit the impact of data exposure incidents and reduce the likelihood of future breaches.
- application-layer flaw
- credit monitoring offered
- customer data security
- CVE-2026 data exposure
- cybersecurity 2026
- email address exposure
- identity theft risk
- loan application vulnerability
- PayPal data breach
- PayPal security incident
- PayPal Working Capital flaw
- personal information leak
- PII exposure
- Social Security number leak
1 Comment
Leave a Reply
Related Articles
FBI Warns of Rising ATM Jackpotting Attacks, $20M Lost in 2025
The FBI has reported a significant rise in ATM jackpotting attacks across...
Critical Grandstream GXP1600 Vulnerability Allows Silent Call Interception and Remote Root Access
A critical vulnerability has been discovered in Grandstream’s GXP1600 series VoIP phones...
AI-Powered Hacker Breaches 600+ FortiGate Firewalls in Just Five Weeks
A recent cybersecurity investigation by Amazon Integrated Security has revealed a Russian-speaking...
Massiv Android Banking Trojan Disguised as IPTV App Hijacks Accounts and Steals Digital IDs
A newly discovered Android banking trojan dubbed Massiv is disguising itself as...
This incident highlights how a simple coding error can put highly sensitive customer data at risk for months. Even without a system-wide breach, exposed Social Security numbers and personal details can lead to identity theft and account takeover. Organizations must enforce strong change management, thorough testing, and encryption for high-risk data to prevent similar incidents. PayPal’s response, including refunds and credit monitoring, is essential but also underscores the importance of proactive security measures.