PayPal data breach was undiscovered for up to 6 months

And it was two months before affected customers were notified

A data breach in payment service provider PayPal was undiscovered for up to 6 months after a vulnerability was caused by a change to the company’s loan application process.

A fault in PayPal's Working Capital (PPWC) loan application process attributed to a "code change" on 1^st July 2025, allowed an attacker to access sensitive information before it was discovered and fixed by PayPal's security team on 12^th December. Potentially, the attacker could have had access for six months.

Fortunately the number of customers affected appears to be small at around 100 people. However, the personal data exposed including names, email addresses, phone numbers, business addresses, Social Security numbers and dates of birth.

PayPal initially said that its systems had not been compromised. But a breach notification shared by BleepingComputer, dated 10^th February and sent to affected customers said “the PII of a small number of customers was exposed to unauthorised individuals,” adding that the company had “rolled back the code change responsible for this error, which potentially exposed the PII.”

The two-month interval between fixing the error and informing affected customers along with the initial denial raises questions about the company’s transparency.

According to PayPal’s notification, “a few customers” experienced unauthorised transactions and have been issued with refunds. The company reset the passwords of affected accounts and offered two years of complimentary credit monitoring and identity restoration services through Equifax.

It advised those affected to “remain vigilant and review your account information, transaction history and free credit reports for any suspicious activity.”

This is not the first time PayPal accounts has been breached. In 2023, the payments provider confirmed that attackers had used credential‑stuffing to access 35,000 accounts.