PayPal Loan Application Glitch Exposes Sensitive User Data for Six Months
San Jose, Friday, 20 February 2026.
A coding flaw in PayPal’s loan platform left sensitive data, including Social Security numbers, exposed for nearly six months, leading to unauthorized transactions and immediate security protocol revisions.
Anatomy of the Breach
PayPal Holdings, Inc. (PYPL) identified the source of the data leak as a software vulnerability within its PayPal Working Capital (PPWC) loan application, a service designed to facilitate business lending [1][4]. The exposure window, resulting from a specific coding error, remained open for nearly six months, spanning from July 1, 2025, to December 13, 2025 [1][3]. While the company’s core payment infrastructure remained secure, the flaw in this auxiliary service allowed unauthorized access to high-risk Personally Identifiable Information (PII) belonging to customers [2][4].
Operational Response and Remediation
Internal security teams discovered the vulnerability on December 12, 2025, and successfully reversed the problematic code change by the following day, December 13, 2025 [1][3]. In a statement provided on February 20, 2026, a PayPal spokesperson clarified that the incident was isolated to approximately 100 customers and emphasized that the broader PayPal ecosystem was not breached [1]. The company further asserted that the notification delay was not requested by law enforcement, indicating the time was likely used for internal investigation and verification of the breach’s scope [3].
Regulatory Context and Recurring Risks
This incident adds to a series of security challenges for the fintech giant. In January 2025, just over a year prior to this disclosure, PayPal settled with New York State for $2,000,000 following a 2022 data breach that impacted roughly 35,000 accounts via credential stuffing [1][3]. These recurring issues underscore the difficulties major financial institutions face in securing third-party or peripheral applications against configuration errors and software defects [2].