In February 2026, PayPal Inc. issued a formal breach notification to a small group of its customers after discovering that certain personal information had been exposed due to a software error in one of its services. This notification alerted users to the possibility of unauthorized access to sensitive data and outlined steps being taken to mitigate harm.

How the Exposure Occurred

According to the breach notification referenced in media reports, the exposure wasn’t caused by an external hack into PayPal’s central systems. Instead, it stemmed from a coding error in PayPal’s Working Capital (PPWC) loan application software—a service that helps small business owners access financing.

An erroneous code change in this application inadvertently made personal data visible to unauthorized parties. The issue continued undetected for several months. Once identified, PayPal rolled back the offending change to block further access.

Timeline of the Incident

• Unauthorized exposure period: July 1, 2025 – December 12 or 13, 2025
• Discovery: December 12, 2025
• Public notification: February 10, 2026 (via breach letters to affected users)

This means the data exposure lasted for about five to six months before PayPal corrected the issue and began notifying affected individuals.

What Data Was Exposed

The types of personal information that may have been exposed include:

• Full names
• Email addresses
• Phone numbers
• Business addresses
• Dates of birth
• Social Security Numbers (SSNs)

The inclusion of SSNs and dates of birth significantly raises risks related to identity theft and targeted fraud.

Is PayPal’s System “Breached”?

PayPal has stated (via spokespersons and notification letters) that its main systems were not compromised in a traditional cybersecurity breach. Rather, the exposure was the result of a software defect that left some data accessible for an extended period.

However, some reporting highlights a tension between this claim and the fact that unauthorized access did occur. In practical terms, regardless of technical wording, personal data was accessed without permission, which is the core concern in any breach scenario.

Impact on Customers

Though the number of affected users appears to be limited—reports suggest around 100 customers were directly contacted about the breach—some did experience unauthorized transactions. PayPal has said it has refunded those customers for any losses incurred as a result of these transactions.

Remediation and Support

To help mitigate risks associated with the breach, PayPal is offering affected users:

• Two years of free credit monitoring and identity restoration services
  (via a major credit bureau service, such as Equifax Complete Premier)
• Mandatory password resets for all impacted accounts
• Guidance on monitoring financial accounts and credit reports

Customers must typically opt in or enroll to receive services such as credit monitoring and identity theft insurance.

What Users Should Do

Even if you did not receive a notification letter, cybersecurity experts recommend taking the following precautions:

• Change and strengthen your PayPal password immediately
• Enable two-factor authentication (2FA) if not already done
• Monitor account activity for unfamiliar transactions
• Check credit reports regularly for signs of identity misuse
• Beware of phishing attempts pretending to be breach-related communications

Broader Context

This incident follows previous data security challenges for PayPal. In early 2023, the company faced a credential stuffing breach that affected tens of thousands of users, resulting in forced password resets and extended monitoring offerings.

The 2026 notice underscores the ongoing challenges large financial technology platforms face in securing sensitive customer data and the importance of robust software practices, vigilant monitoring, and transparency in breach disclosures.