PayPal has confirmed that it suffered through a data breach in which an unknown attacker was found lurking in its system for nearly six months, Forbes has reported.
The company had sent emails to its affected users claiming that the cybersecurity incident must have affected some of their personal information. It explained that PayPal had identified an error in its PayPal Working Capital (PPWC) loan app during which data of some consumers was compromised from 1 July, 2025 to 13 December 2025. “PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII,” it said.
“When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter,” a company spokesperson said as reported by Forbes.
According to Forbes, the data potentially accessed by the third party includes name, email address, phone number, business address, social security number and data of birth.
PayPal even confirmed that few consumers also experienced “authorised transactions on their accounts”. The company claims to have refunded the affected consumers.
