PayPal breach went undetected for six months, exposing Social Security numbers

Published: 20 February 2026
Last updated: 20 February 2026
PayPal data breach credential leak
Image by T. Trutschel via Getty Images.

PayPal has been sending data breach notification letters to customers affected by a recently discovered “cyber incident” dating back to 2025, in which an unknown attacker was found lurking in its systems for nearly six months.

Key takeaways:
  • A PayPal code change opened the door – leaving customer data exposed for nearly six months before detection.
  • Only about 100 customers were impacted, but the compromised data included Social Security numbers and dates of birth.
  • PayPal says its systems were not compromised – yet it reset passwords and is offering two years of credit monitoring.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

“The security of our customers’ information is very important to us. We are writing to let you know of a cybersecurity incident that affected some of your personal information,” the PayPal letter begins.

ADVERTISEMENT

According to the letter dated February 10th, bad actors were able to gain access to PayPal’s networks after a code change affected the PayPal Working Capital (PPWC) app interface.

PayPal 6 month breach
PayPal sent a Notice of Breach Letter to affected customers as required by law. Image by Cybernews.

PayPal Working Capital is used by small businesses for quick financing, according to the PayPal website. In addition to other parameters, PPWC loans appear to be restricted to users registered in the United Kingdom who process at least £9,000 in annual PayPal sales.

Six months inside PayPal’s systems

Although the intrusion was discovered last year on December 12th. PayPal acknowledges that sensitive customer information had been left exposed for at least six months prior, dating back to July 1st.

“A small number of customers were exposed to unauthorized individuals during the timeframe of July 1, 2025, to December 13, 2025,” the letter states.

In a statement sent to Cybernews on Friday, PayPal said that only “100 customers” have been impacted, stressing that its systems were not breached.

PayPal Working Capital
PayPal Working Capital offers quick, flexible funding to business customers. PayPal.com
ADVERTISEMENT

“When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.”

– PayPal Spokesperson

The California-based fintech says it “terminated the unauthorized access to PayPal’s systems, rolling back the code change responsible for the error,” by the next day, December 13th.

What data was exposed

PayPal also confirmed in the letter that “a few customers experienced unauthorized transactions on their accounts,” but did not provide the exact number affected. The company says it has already reversed the charges for those accounts.

Andrew Costis, Manager of the Adversary Research Team at AttackIQ, explains that “the longer attackers are able to remain undetected within networks, the greater the likelihood of credential exposure becomes.”

hackers phishing
Compromised PayPal accounts are at increased risk of phishing attacks. Image by Cybernews

And even with only a limited number of victims, Costis says, “the sensitivity of the data raises the likelihood of identity theft, synthetic identity fraud, and highly targeted social engineering against small businesses.”

PayPal says internal investigations found "some" customers’ business and personal information had been compromised during the six-month timeframe.

That data is said to include:

  • Name
  • Social Security number
  • Date of birth
  • Email address
  • Phone number
  • Business address
ADVERTISEMENT

However, Nick Tausek, Lead Security Automation Architect at Swimlane, points out that “some customers reported unauthorized transactions on their accounts as a result of the breach, reinforcing that intrusions don't need to be massive to put customers at risk.”

“When sensitive identity attributes can be reached through an ordinary customer journey, it signals to attackers that the fastest path to payoff is often the business logic itself,” Tausek told Cybernews.

“The ripple effects of a breach like this can show up as account takeover attempts, payment diversion, and loan or credit abuse,” he added.

PayPal mobile phone
PayPal says affected users will be required to reset their account passwords. Image by Shutterstock

What PayPal is doing now

PayPal says since finding out about the unauthorized access, it has reset the passwords of the affected PayPal accounts.

It says the compromised PayPal users will have to “establish a new password the next time you log in,” and that the company has since beefed up its security controls.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Customers will also be able to receive two years of complimentary credit monitoring and identity restoration services through Equifax.

PayPal recommends customers stay aware and encourages them to apply best security practices for all their accounts, including:

ADVERTISEMENT
  • Use a unique username and password combination for every website and service.
  • Change password and security questions immediately after any suspicious activity.
  • Hover over links in emails to check the real destination URL before clicking.
  • Do not click on links if you are unsure where they lead.
  • Be cautious of messages that create a sense of urgency or demand immediate action.
  • If a message claims to be from PayPal and seems urgent, visit paypal.com directly in your browser and log in to check for legitimate notifications.

PayPal also reminds users that it will never ask for a username, password, or one-time authentication codes via phone, text, or email.

The company further noted that there was no delay in the notification process, even as the law enforcement investigation proceeded.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT