According to customer notifications reviewed by BleepingComputer, PayPal disclosed a data exposure incident that led to the prolonged exposure of sensitive customer information for several months.
The software misconfiguration affected the working capital loan application used by small businesses. A code change implemented in mid-2025 unintentionally made certain customer information accessible to unauthorized individuals. The problem remained undetected until December 2025, when it was identified internally and corrected the following day by rolling back the faulty update.
The exposed information may have included customer names, email addresses, phone numbers, business addresses, dates of birth, and Social Security numbers. A small number of impacted users also experienced unauthorized transactions connected to the incident, which were later refunded.
According to a company statement, internal systems were not breached and roughly 100 customers were potentially affected. Users were also reminded to stay alert for phishing attempts, which commonly follow data exposure notifications.
In response, affected customers are being offered two years of free three-bureau credit monitoring and identity restoration services, with enrollment available until June 30, 2026. Account passwords for impacted users have been reset, and additional monitoring has been put in place.
The incident highlights how even application-level errors, if left undetected, can result in unintended data exposure even without a direct system compromise.
Leave a Reply