PAYPAL disclosed a data breach caused by an error in the PayPal Working Capital loan application, which exposed customers’ personal information for nearly six months. The exposed data included names, email addresses, dates of birth, phone numbers, and business addresses, alongside SSNs. The flaw’s code was rolled back and affected customers’ passwords were reset, but the vulnerability was exploited before it was patched.
PayPal said that a few customers experienced unauthorized transactions and that refunds had been issued to those customers. The company notified roughly 100 customers as affected, but stated that its systems were not compromised, a claim challenged by the breach notification which said unauthorized access was terminated after detection. The incident was reported on 23 February 2026 by Eduard Kovacs for SecurityWeek.