PayPal admits coding glitch exposed social security numbers and sparked fraudulent charges

Last week, PayPal confirmed that a significant software error in its PayPal Working Capital (PPWC) loan application left sensitive user data exposed for nearly six months. The glitch, which went undetected from July to December 2025, allowed unauthorized individuals to view and scrape "the crown jewels" of personal identity, including full names, email addresses, phone numbers, business addresses, dates of birth, and Social Security numbers.

The six-month vulnerability window

The exposure was not a sudden breach but a prolonged leak caused by a routine application update that went wrong. The sensitive data was accessible to unauthorized parties between July 1, 2025, and December 13, 2025.

PayPal engineers identified a "code modification" within the PPWC interface that inadvertently made private database fields visible to the public web. PPWC is a platform used by small businesses for short-term financing.

Delayed notification

Although the issue was fixed in December 2025, PayPal only began sending formal "Notice of Data Breach" letters to affected users around February 10, 2026.

Identity theft and financial fallout

Because the leak included high-value identifiers, the real-world impact was immediate for a subset of the approximately 100 impacted customers. PayPal confirmed that "a few" of the exposed accounts were immediately targeted for fraudulent transactions.

The company stated it has already issued full refunds to these victims.

As a precaution, PayPal has also forcibly reset passwords for all accounts linked to the PPWC platform during the exposure window.

The cleanup: Equifax and enhanced controls

To mitigate the long-term risk of identity theft, which is high given that SSNs do not expire, PayPal is offering a standard "remediation package." Affected users are being provided with two years of free three-bureau credit monitoring and identity restoration services through Equifax.

The company also claims to have implemented "enhanced security controls" and a more rigorous peer-review process for code changes affecting sensitive PII (Personally Identifiable Information) fields.

In a statement to The Register, a PayPal spokesperson maintained that "PayPal’s systems were not compromised," a technical distinction meant to clarify that the vault itself wasn't cracked. Rather, the data was simply "delivered" to unauthorized users by the faulty app code.