PayPal recently disclosed a cybersecurity incident involving its PayPal Working Capital (“PPWC”) loan application. A coding error reportedly exposed certain customers’ personal information between July and December 2025, potentially including Social Security numbers and dates of birth.
PayPal’s Data Breach Investigation
PayPal announced that on December 12, 2025, it identified a cybersecurity issue tied to its PayPal Working Capital (PPWC) loan application. According to the company, a code-related error resulted in the personal identifiable information (PII) of a small number of customers being exposed to unauthorized individuals during the timeframe of July 1, 2025 through December 13, 2025.
Unlike many cyberattacks that stem from external hacking attempts, this incident reportedly resulted from an internal coding issue that inadvertently allowed unauthorized access. Once the issue was identified, PayPal stated that it rolled back the code change responsible for the error to prevent further exposure.
PayPal also reported that it did not delay notifying affected customers due to any law enforcement investigation. Upon learning of the unauthorized activity, the company initiated an investigation and terminated the unauthorized access to its systems. As an added precaution, PayPal reset the passwords of affected accounts and implemented enhanced security controls requiring impacted users to establish new passwords if they had not already done so.
The company further disclosed that a small number of customers experienced unauthorized transactions on their accounts. For those individuals, PayPal issued refunds to cover the unauthorized activity. While reimbursement can mitigate direct financial losses, the exposure of highly sensitive personal information—such as Social Security numbers and dates of birth—can pose long-term risks of identity theft and fraud.
According to PayPal, the potentially exposed data included customers’ business contact information combined with more sensitive identifiers. The inclusion of Social Security numbers and dates of birth significantly increases the risk of identity theft, fraudulent account openings, and tax-related fraud.
In response to the incident, PayPal is offering two years of complimentary credit monitoring and identity restoration services through Equifax. Credit monitoring services can help detect suspicious activity on credit reports, while identity restoration services assist victims in resolving fraud-related issues.
Technology and financial service providers are entrusted with vast amounts of personal and financial data. When internal errors result in the exposure of sensitive information, affected individuals may face uncertainty about the security of their accounts and identities. Even if misuse is limited or quickly remediated, the long-term risks associated with exposed Social Security numbers can persist.
At Class Action U, we believe consumers deserve transparency and accountability when their personal information is placed at risk—whether due to external hacking or internal system errors. If you received a notification from PayPal regarding this incident, understanding what happened and exploring your legal rights may help you determine your next steps.
When Did This Breach Occur?
According to PayPal’s disclosure:
-
Date(s) the Breach Occurred: July 1, 2025 – December 13, 2025
-
Date the Breach Was Discovered: December 12, 2025
PayPal identified the coding error on December 12, 2025, and determined that personal information may have been exposed between July 1 and December 13, 2025.
What Information Was Breached?
PayPal reported that the following information may have been exposed:
-
Name
-
Email address
-
Phone number
-
Business address
-
Social Security number
-
Date of birth
The specific data elements involved vary by individual.
What You Can Do
If you received a notification from PayPal about this incident, consider taking the following steps:
-
Enroll in the complimentary two-year credit monitoring and identity restoration services offered through Equifax before the June 30, 2026 deadline.
-
Review your PayPal account and transaction history for any unauthorized activity.
-
Monitor your credit reports for unfamiliar accounts or inquiries.
-
Place a fraud alert or security freeze on your credit file if you suspect risk.
-
Report suspicious transactions immediately to PayPal and your financial institutions.
Even if you were refunded for unauthorized transactions, the exposure of Social Security numbers and dates of birth may increase your risk of identity theft in the future. Remaining vigilant is essential.
You may also wish to explore your legal rights. Many individuals are unaware that they may be eligible to join a class action lawsuit following a data breach. When consumers stand together, they can seek accountability and potential compensation for the exposure of their personal information.
File a Data Breach Lawsuit Against PayPal
If you received notice that your personal information was involved in the PayPal data breach, you may have the right to pursue legal action.
Data breach lawsuits aim to hold companies accountable when system errors or cybersecurity failures result in the exposure of sensitive consumer information. Compensation may include reimbursement for out-of-pocket costs, time spent addressing fraud, credit monitoring expenses, and other related damages.
You do not have to face the consequences of a data breach alone. Learning about your legal options can help you determine whether you qualify to join a class action lawsuit and seek potential compensation.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team.
