PayPal exposes sensitive personal data for months due to failure in Working Capital app

PayPal has notified some users that extremely sensitive information was mistakenly accessible in one of its loan applications for several months last year. According to the communication sent to those concerned, a change in the code of the application of loans PayPal Working Capital left personal data exposed from July 1 until mid-December 2025, until the company discovered the problem and reversed the modification on December 12.

The types of information involved include names, e-mail addresses, phone numbers, commercial addresses, birth dates and even Social Security numbers. These are data that, in the wrong hands, facilitate fraud of all kinds: from the opening of accounts in the name of another person to scams directed at both individuals and companies. PayPal reported that it detected unauthorized transactions in some accounts related to the failure and that it has already submitted refunds to the affected customers.

The company has also offered two years of credit monitoring with coverage of the three main agencies and identity restoration services provided by Equifax, although registration requires users to claim this benefit by 30 June 2026. For those who need guidance on how to activate these protections, it is useful to review the offer and concrete steps that PayPal sent by letter to those affected; the formal notification can be found in the public document where the letter sent by the company is reproduced. Here..

The nature of the error described by PayPal - a software adjustment that unintentionally opened access to personal data - is not unusual in complex infrastructure where frequent deployments and units between services have reduced the scope for manual testing. When this happens, the time it takes for the company to detect and contain the leak is key: in this case the exposure lasted almost six months. The company states that the correction was applied immediately after the finding and that it did not delay the communication for reprisals or external investigations.

While PayPal has not yet published an official figure of the total number of accounts affected by this incident, it has confirmed that it proceeded to re-establish passwords for the committed accounts and that users will need to establish new credentials when they log in. In addition, the company has reiterated a well-known but always current recommendation: never reveal passwords, single-use codes or credentials through calls, text messages or e-mails, as criminals often take advantage of these situations to launch phishing campaigns aimed at victims of gaps.

This episode occurs in the context of previous security problems for PayPal. In December 2022, a massive "credimentary stuffing" attack was recorded that affected tens of thousands of accounts and, in 2025, the company agreed to a sanction with the State regulator of New York for not meeting certain cybersecurity obligations related to this incident. The recurrence of these episodes raises questions about how large platforms manage technological risk over time and whether the measures taken after each incident are sufficient to avoid repetition.

For users and small businesses using services such as PayPal Working Capital, there are practical measures that should be taken immediately after such notification. First, carefully review bank movements and transactions in PayPal and related accounts; second, request credit reports and consider fraud or credit freeze alerts where possible; and third, be attentive to phishing attempts, which are often increased after massive personal data leaks. The Federal Trade Commission (FTC) provides clear advice on what steps to take in the event of identity theft and how to protect itself in the medium term, a useful guide for those receiving similar notification Here..

It is also recommended to take advantage of the monitoring and restoration offers offered by the company itself, but with caution: to read the terms of the services, to check what exactly covers the protection and for how long, and not to rely only on that coverage. The services offered by suppliers such as Equifax may be useful, but it is appropriate to know alternatives and to complement these measures with active monitoring of the statements and personal alerts. More information on credit protection and monitoring services can be found on the Equifax website Here..

From a technical and governance point of view, the main lesson is that software deployments on platforms that handle sensitive data require quality controls and detection of robust anomalies: code audits, realistic test environments, progressive deployments with real-time monitoring and clear processes to reverse problem changes. In addition, transparency with customers and coordination with regulators can help to mitigate the reputational and legal impact when a leak occurs. For those who want to follow the incident coverage, specialized media such as BleepingComputer have reported on the notification and have tried to collect official statements from PayPal Here..

Ultimately, when a payment platform with millions of users is exposed of this nature, the consequences not only affect direct victims; they erode confidence in services that many businesses and consumers consider essential. The responsibility now lies with PayPal to demonstrate that he has learned from the incident, strengthened his processes and, above all, better protected the data his clients trust.