PayPal is notifying customers of a data breach after a software error in a loan application exposed their sensitive personal information, including Social Security numbers, for nearly 6 months last year.

The incident affected the PayPal Working Capital (PPWC) loan app, which provides small businesses with quick access to financing.

PayPal discovered the breach on December 12, 2025, and determined that customers' names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth had been exposed since July 1, 2025.

The financial technology company said it has reversed the code change that caused the incident, blocking attackers' access to the data one day after discovering the breach.

"On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital ("PPWC") loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025," PayPal said in breach notification letters sent to affected users.

"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation."

PayPal also detected unauthorized transactions on the accounts of a small number of customers as a direct result of the incident and has issued refunds to those affected.

The company now offers affected users two years of free three-bureau credit monitoring and identity restoration services through Equifax, which require enrollment by June 30, 2026.

Affected customers are also advised to monitor their credit reports and their account activity for suspicious transactions. PayPal reminded users that it never requests account passwords, one-time codes, or other authentication credentials via phone, text, or email, a common tactic used in phishing attacks that often follow data breach disclosures.

While PayPal has yet to disclose how many customers were affected, it has reset passwords for all impacted accounts and said that users will be prompted to create new credentials upon their next login if they have not already done so.

BleepingComputer reached out to a PayPal spokesperson with questions about the incident, but a response was not immediately available.

In January 2023, PayPal notified customers of another data breach after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022.

Two years later, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.