PayPal Confirms Data Breach as Software Error Exposes Customer Data, Money Stolen

By: Israel Adeleke

OPEN TELEVISION NAIJA (OTN) News reports as gathered that PayPal confirms a data breach linked to a software error in its PayPal Working Capital (PPWC) loan application, revealing that sensitive customert information was exposed for months and that money was stolen from some affected accounts.

OTN News further reports as gathered that the company in breach notification letters sent to customers, said that the issue was discovered on December 12, 2025, after it identified an error in the PPWC loan application used to provide financing to small businesses.

According to PayPal, personally identifiable information (PII) was exposed to unauthorised individuals between July 1, 2025, and December 13, 2025.

The exposed data includes names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth, raising concerns over identity theft and financial fraud.

“On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (‘PPWC’) loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025, to December 13, 2025,” the company stated in its notification.

PayPal said it has rolled back the faulty code and blocked unauthorised access within a day of detecting the problem.

The company also confirms that it identified unauthorised transactions on some of the affected accounts and has issued refunds to customers whose funds were stolen.

However, in compensation to the affected individuals, PayPal said it's offering two years of free credit monitoring and identity restoration services through Equifax, with enrolment available until June 30, 2026. 

Customers are also advised to closely monitor their credit reports and account activity for any suspicious transactions.

The company further warned users to remain vigilant against phishing attempts, stressing that PayPal does not request passwords, one-time passcodes, or sensitive information via phone calls, text messages, or emails. 

PayPal also said that passwords for affected users have been reset, and customers will be prompted to create new login credentials if they have not already done so.

OTN News observes that the incident comes against the backdrop of previous cybersecurity challenges for the payments firm. 

In 2022, PayPal disclosed a credential stuffing attack that affected about 35,000 customer accounts. 

That breach later led to a $2 million settlement with New York State in January 2025 over alleged failures to comply with state cybersecurity regulations.

In a follow-up clarification, a PayPal spokesperson said that the company’s broader systems were not compromised and that the incident had a limited scope.

“When there is a potential exposure of customer information, PayPal is required to notify affected customers,” the spokesperson said. 

“In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.”

Despite the limited number of affected users, cybersecurity experts note that the exposure of highly sensitive personal data underscores the risks associated with software errors in financial technology platforms and the importance of robust security controls, particularly in products handling lending and payment services.