PayPal admits customer data was exposed in security breach

The PayPal breach went undetected for 6 months

Names, emails, phone numbers, and SSNs were exposed in a PayPal breach. Learn how to protect your accounts now. | ©Image Credit: Marques Thomas / Unsplash
Names, emails, phone numbers, and SSNs were exposed in a PayPal breach. Learn how to protect your accounts now. | ©Image Credit: Marques Thomas / Unsplash

Millions trust PayPal with their most sensitive financial details — but some users are now learning that a security breach quietly exposed customer data for six months before it was detected. While the company says only around 100 accounts were potentially impacted, the information accessed includes highly sensitive personal details, and a small number of users reported unauthorized transactions. Even more concerning is the timeline: the intrusion reportedly began in July and wasn’t discovered until December. So, how did it happen, what data was exposed, and should you be worried? Here’s what we know so far — and what every PayPal user should do next.

Table of Contents show

PayPal confirms half-year security lapse in loan system

A security lapse at PayPal left sensitive customer data exposed for nearly six months before the company finally slammed the door shut. According to verified breach notification letters, a threat actor successfully infiltrated PayPal’s infrastructure on July 1, 2025, maintaining a quiet presence until the intrusion was finally unearthed on December 12, 2025.

The root of the problem appears to be a technical glitch rather than a targeted brute-force attack. Official notifications, issued on February 10, reveal that the exposure occurred “due to an error in its PayPal Working Capital (“PPWC”) loan application.” While the exact mechanics of the breach are still coming to light, the company has so far attributed the vulnerability to a simple “code change.”

Contradictory claims and corporate messaging

The incident has sparked confusion due to conflicting narratives between PayPal’s formal notices and their public PR stance. After the initial reports surfaced, a PayPal spokesperson offered a statement to Forbes that downplayed the severity: “When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.”

This claim—that systems “were not compromised”—stands in stark contrast to the company’s own breach notification, which explicitly stated that investigators had successfully “terminated the unauthorized access to PayPal’s systems.” Whether this is a matter of legal semantics or a genuine disparity in facts remains unclear. Forbes, who was one of the first ones to report the breach, said it is currently seeking further clarification on how an attacker can have “unauthorized access” to a system that isn’t considered “compromised.”

A massive window of opportunity

Despite the relatively small pool of victims, the timeline of the incident is the most troubling factor. The hacker had a half-year window to operate before a red flag was raised. In the breach notification, the company noted: “Upon learning about this unauthorized activity, we promptly began an investigation and took action to address this incident, including by taking steps to prevent unauthorized actors from obtaining further personal information.”

While the swiftness of the response after discovery is standard protocol, the six-month delay in detection raises serious questions about PayPal’s real-time monitoring capabilities. Given the sensitivity of the data involved, we can only be thankful that the scope remained limited to roughly 100 individuals before the vulnerability was finally patched.

The sensitive data accessed in the PayPal breach

While the scale of the incident was limited, the depth of the data exposed is significant. Investigations have revealed that the following sensitive details were vulnerable to the unauthorized actor:

  • Legal identity: Full names and dates of birth
  • Contact details: Email addresses and phone numbers
  • Business records: Registered business addresses
  • Government IDs: Social Security numbers

Beyond static data, the breach had immediate financial consequences for some users. According to a company representative, “a few customers experienced unauthorized transactions on their account.” While the spokesperson confirmed this affected a very small number of users, PayPal has reportedly acted quickly to rectify the situation, confirming they have already terminated the attacker’s access to its systems and issued refunds to those impacted.

Those affected have also had their account passwords reset, meaning you may be required to set a new password the next time you log in. “We are offering you two years of complimentary credit monitoring and identity restoration services through Equifax,” added the PayPal spokesperson.

Although it is a relief that only a tiny fraction of PayPal’s massive user base was directly impacted, the quality of the stolen data remains a major concern. When an attacker possesses a Social Security number alongside a business address and phone number, the threat extends far beyond a single compromised account. For small business owners, this information is ideal for highly sophisticated phishing campaigns. Unlike generic spam, these targeted attacks use specific personal details to build trust, making them much harder to detect.

How to protect your PayPal account after a security breach

Even if you weren’t affected by the recent breach, these best practices are essential for protecting your PayPal account and other online services:

  1. Use unique usernames and strong passwords: Avoid reusing email addresses or passwords across multiple accounts. Unique usernames add an extra layer of protection against credential-stuffing attacks, and strong, complex passwords make it harder for hackers to gain access.
  2. Update passwords and security questions immediately if suspicious activity occurs: A quick password change can prevent a minor issue from turning into a major breach.
  3. Verify links before clicking: Hover over email or text links to see the actual destination. When in doubt, type the website address directly into your browser instead of following the link.
  4. Be cautious with urgent messages: Emails or texts demanding immediate action may be phishing attempts. Always log in to your account through a known, trusted URL to confirm any alerts.
  5. Never share login or authentication information: PayPal will never ask for your password, username, or one-time codes via email, text, or phone call.
  6. Use passkeys when available: Adding a passkey provides an extra layer of security that can significantly reduce the risk of unauthorized access.
  7. Monitor your account regularly: Even if you weren’t impacted, stay vigilant by reviewing account information and transaction history frequently. Early detection is key to preventing further threats.

Source:  Forbes