Ethical Hacking News
A recent data breach at PayPal exposed sensitive customer information for nearly six months, prompting the company to notify affected users and offer free credit monitoring services.
PayPal disclosed a data breach that exposed customer personal information for nearly six months. The breach occurred in July 2025 and was not detected until December 12, 2025. A small number of customers using the PayPal Working Capital loan app were affected. PayPal has taken steps to mitigate the damage, including reversing a code change and issuing refunds. The company is offering two years of free credit monitoring and identity restoration services to affected customers.
In a shocking revelation, PayPal has disclosed a data breach that exposed sensitive personal information of its customers for nearly six months. The incident occurred in July 2025 and was not detected until December 12, 2025, when PayPal identified the error in their loan application system. This mistake led to the exposure of customer Social Security numbers, business addresses, phone numbers, email addresses, dates of birth, and other sensitive information.
The breach affected a small number of customers who used the PayPal Working Capital (PPWC) loan app, which provides quick access to financing for small businesses. According to PayPal, the data breach exposed the personal identifiable information (PII) of these customers during the period of July 1, 2025, to December 13, 2025.
In response to the incident, PayPal has taken immediate action to mitigate the damage. The company has reversed the code change that caused the error, blocking unauthorized access to the exposed data one day after discovering the breach. Additionally, PayPal has issued refunds to customers who were affected by the unauthorized transactions on their accounts as a direct result of the incident.
To help protect affected customers, PayPal is offering two years of free three-bureau credit monitoring and identity restoration services through Equifax, which require enrollment by June 30, 2026. Affected customers are also advised to monitor their credit reports and account activity for suspicious transactions.
PayPal has emphasized that it never requests account passwords, one-time codes, or other authentication credentials via phone, text, or email, a common tactic used in phishing attacks that often follow data breach disclosures. The company has reset passwords for all impacted accounts and will prompt users to create new credentials upon their next login if they have not already done so.
This latest incident highlights the importance of robust cybersecurity measures in place to protect sensitive customer information. It also underscores the need for companies like PayPal to prioritize transparency and communication with affected customers, as well as proactively addressing vulnerabilities and weaknesses in their systems.
The breach comes on the heels of another data breach at PayPal, which occurred in January 2023, after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022. Furthermore, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.
In light of these recent incidents, it is essential for companies like PayPal to learn from their mistakes and implement more stringent security measures to prevent similar breaches in the future. By prioritizing customer safety and transparency, organizations can rebuild trust with their customers and demonstrate a commitment to protecting sensitive information.
As the cybersecurity landscape continues to evolve, companies must stay vigilant and proactive in addressing emerging threats and vulnerabilities. The recent data breach at PayPal serves as a reminder of the importance of robust cybersecurity measures and the need for companies to prioritize transparency and communication with affected customers.
In conclusion, the recent data breach at PayPal exposes sensitive customer information for nearly six months, prompting the company to notify affected users and offer free credit monitoring services. As organizations navigate the ever-evolving cybersecurity landscape, it is crucial to learn from mistakes, implement more stringent security measures, and prioritize transparency and communication with affected customers.
Related Information:
https://www.ethicalhackingnews.com/articles/PayPal-Discloses-6-Month-Data-Breach-Exposing-Sensitive-Customer-Information-ehn.shtml
https://www.bleepingcomputer.com/news/security/paypal-discloses-data-breach-exposing-users-personal-information/
https://cybernews.com/security/paypal-credential-dump-hacker-claims/
Published: Fri Feb 20 08:01:34 2026 by llama3.2 3B Q4_K_M
