PayPal has confirmed a data breach affecting PayPal Working Capital loan users, with unauthorised access lasting approximately six months.
Following the announcement, PayPal has confirmed a data breach affecting a limited number of users of its PayPal Working Capital (PPWC) loan product, following unauthorised access to its systems that went undetected for approximately six months. The company has notified roughly 100 affected customers, reset their account passwords, and issued refunds for any unauthorised transactions recorded on impacted accounts.
Six months of unauthorised access
According to breach notification letters dated 10 February 2026, a threat actor first gained access to PayPal's systems on 1 July 2025. The unauthorised access was not identified until 12 December 2025, leaving a window of nearly six months during which personal data belonging to PPWC loan applicants was potentially exposed. PayPal has attributed the incident to a code error within the PPWC loan application process, though the company has not yet provided a detailed technical explanation of how the vulnerability was exploited or how the attacker access evolved over time.
The categories of data potentially accessed include full names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth. The inclusion of Social Security numbers and dates of birth is particularly significant for affected users, as this combination of identifiers can be leveraged in identity theft, targeted phishing campaigns, and account takeover attempts well beyond the PayPal platform itself. Small business owners, who represent a core segment of PPWC loan applicants, may face elevated risk from socially engineered fraud using this data.
PayPal has stated that it terminated the attacker's access upon discovery and has taken steps to prevent further unauthorised data access. Affected customers have been offered two years of complimentary credit monitoring and identity restoration services through Equifax.
Context and prior incidents
This is not the first security incident to affect PayPal in recent years. In 2023, approximately 34,942 accounts were accessed via a credential stuffing attack, in which threat actors used previously breached login credentials to gain unauthorised entry. More recently, in December 2025, attackers were found to be abusing PayPal's billing subscriptions feature to deliver phishing messages through legitimate infrastructure, bypassing standard email authentication protections.
PayPal has publicly acknowledged the ongoing threat landscape and stated that it combines manual investigations with automated tools to limit fraudulent activity, including proactive measures such as restricting suspicious accounts and declining high-risk transactions.
The relatively small number of users affected by this latest incident is notable given the duration of the exposure. However, the sensitivity of the data involved means that the downstream risk for affected individuals may extend beyond PayPal-specific threats. PayPal has advised impacted users to use unique credentials across services, monitor account activity, and remain cautious of unsolicited communications creating a sense of urgency.
