Overview
- PayPal notified approximately 100 PayPal Working Capital customers of potential exposure, while declining to publish a definitive affected count.
- Exposed information included names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.
- The exposure occurred from July 1 to December 12–13, 2025; PayPal says it rolled back the faulty code and terminated unauthorized access after discovery.
- A few customers saw unauthorized transactions that have been refunded, impacted passwords were reset, and two years of three‑bureau Equifax monitoring is offered with enrollment open until June 30, 2026.
- Reporting highlights a discrepancy between PayPal’s statement that its systems were not compromised and notices referencing terminated unauthorized access, and the incident follows a 2022 credential‑stuffing case and a 2025 New York settlement.