PayPal Working Capital Loan App Coding Error Exposed Customer PII
PayPal disclosed that a coding error in its PayPal Working Capital (PPWC) loan application exposed a small number of customers’ personally identifiable information (PII) to unauthorized parties for roughly six months (July 1 to December 13, 2025). The exposed data included business contact details (name, email, phone number, business address) and highly sensitive identifiers such as Social Security numbers and dates of birth; PayPal said its core systems were not compromised and that the issue stemmed from an internal software defect that was later rolled back.
PayPal detected the exposure on December 12, 2025, initiated an investigation, blocked the unauthorized access, and required password resets/new credentials for impacted accounts. A small number of affected customers reported unauthorized transactions, which PayPal said were refunded; reporting indicates approximately 100 customers were notified. PayPal also stated the notification was not delayed by law enforcement and is offering impacted individuals two years of credit monitoring/identity restoration services (via Equifax, per reporting) alongside strengthened security checks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
PayPal offers two years of Equifax identity protection
As part of its remediation, PayPal offered affected customers two years of credit monitoring and identity restoration services through Equifax. Enrollment for the service was made available following the February 2026 notification.
PayPal sends breach notices to affected customers
PayPal issued written breach notifications from its San Jose headquarters to impacted customers, disclosing the six-month exposure and available remediation. The notices said a small number of customers had unauthorized transactions, which PayPal refunded.
PayPal rolls back faulty code and ends exposure
PayPal rolled back the code change in the PPWC interface, terminated unauthorized access, reset affected passwords, and added stronger login/security controls. The company said the exposure ended by December 13, 2025.
PayPal detects unauthorized activity in loan application
PayPal discovered the unauthorized activity and identified the underlying application error affecting PPWC customer data. The company said the issue was detected on December 12, 2025.
PPWC loan app code change begins exposing customer data
A coding error in PayPal's PayPal Working Capital loan application began exposing customer personal and business information, including Social Security numbers and dates of birth, to unauthorized access. The exposure window started on July 1, 2025 and ultimately affected about 100 customers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
PayPal data breach exposes sensitive user information | SC Media
scworld.com
Open sourcePayPal Confirms Six-Month Data Exposure Linked to Loan System Error
hackread.com
Open sourceteiss - News - PayPal software error exposes social security numbers in working capital loan app
teiss.co.uk
Open sourcePayPal Data Breach-Six Months of Silent Exposure - TheCyberThrone
thecyberthrone.in
Open sourcePayPal Flaw Exposed Email Addresses, Social Security Numbers for 6 Months
techrepublic.com
Open sourcePayPal discloses extended data leak linked to Loan App glitch
securityaffairs.com
Open sourcePayPal Data Breach Exposes SSNs and Business PII of Customers for Over Six Months
cybersecuritynews.com
Open sourcePayPal app code error leaked personal info • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Prosper Data Breach Exposes Sensitive Information of 17.6 Million Individuals
Prosper, a prominent peer-to-peer lending marketplace, suffered a significant data breach in September 2025, resulting in the exposure of sensitive personal information belonging to 17.6 million customers and loan applicants. The breach was detected on September 2, 2025, and was publicly disclosed by Prosper, which confirmed that unauthorized access to their systems had occurred. The compromised data includes a wide range of personally identifiable information such as names, email addresses, dates of birth, Social Security numbers, government-issued IDs, employment statuses, income levels, credit status information, physical addresses, IP addresses, and browser user agent details. Prosper stated that, despite the breach, there was no evidence that customer accounts or funds were accessed or compromised. The company’s customer-facing operations remained uninterrupted throughout the incident. Prosper has reported the breach to relevant authorities and is actively collaborating with law enforcement agencies to investigate the attack. The company is still determining the full scope of the data affected and has committed to providing free credit monitoring services to impacted individuals once the investigation clarifies the extent of the exposure. The breach was added to the Have I Been Pwned database on October 16, 2025, which helped reveal the scale of the incident, specifically the number of unique email addresses involved. Prosper has advised all users to change their passwords if they have not done so since the breach and to enable two-factor authentication for enhanced security. The company has also published a dedicated FAQ page to address customer concerns and provide ongoing updates. The attackers reportedly accessed the data through unauthorized queries on company databases that store customer and applicant information. Prosper emphasized that resolving the incident is a top priority and pledged to share additional information with customers as the investigation progresses. The breach has raised concerns about the security of financial services platforms and the protection of sensitive customer data. Security experts recommend that affected individuals monitor their credit reports and remain vigilant for signs of identity theft. The incident underscores the importance of robust cybersecurity measures and timely breach notification in the financial sector. Prosper’s response and transparency in handling the breach will be closely watched by regulators and customers alike. The breach has significant implications for the privacy and security of millions of individuals whose data was entrusted to the platform.
Mar 21, 2026
Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing **tens of millions of French citizen records** aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including **IBANs/BICs**), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of **phishing, fraud, and identity theft**. Separately, Australia’s **Victorian Department of Education** notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and **encrypted passwords**, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed **PayPal** breach, assessing a ~100,000-record credential “combolist” as likely **outdated infostealer-log data** rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
Mar 21, 2026
National Public Data Collapses After Massive Social Security Number Breach
National Public Data (NPD), a Florida-based background-check and data-broker firm owned by Jerico Pictures, filed for bankruptcy and later shut down after a breach exposed an enormous cache of personal information, including names, addresses, and Social Security numbers. The company tied the incident to a December 2023 intrusion by a third-party actor, while outside reporting said a `277.1 GB` dataset containing roughly `2.9 billion` records was later offered on the dark web for `$3.5 million` and may have affected people in the United States, United Kingdom, and Canada. The fallout quickly expanded beyond the initial disclosure. NPD had first indicated that about `1.3 million` people were impacted, but bankruptcy filings said potential liabilities could extend to hundreds of millions of individuals, far beyond the company’s ability to fund notifications, credit monitoring, litigation, and investigations. More than a dozen class-action complaints were filed, regulators in over 20 US states and the FTC were cited as possible sources of scrutiny, and reporting also pointed to alleged exposure of back-end database passwords. Consumers were urged to freeze credit with the major bureaus and monitor for identity theft as the company’s insurance reportedly denied coverage and its operations unraveled.
May 27, 2026