Data Breaches

PayPal Data Breach Led to Fraudulent Transactions

PayPal blamed an application error for the exposure of customer personal information for nearly 6 months. 

PayPal data breach

PayPal recently disclosed a data breach that affected customers’ personal information and led to fraudulent transactions.

Notification letters sent to impacted individuals revealed that the cybersecurity incident was caused by an error in the PayPal Working Capital (PPWC) loan application.

Due to the error, the personal information of a “small number of customers” was exposed for nearly six months, between July 1 and December 13, 2025.

Exposed information included names, email addresses, dates of birth, phone numbers, and business addresses combined with SSNs. 

The code that had introduced the error was rolled back and the affected customers’ passwords were reset. However, the vulnerability was exploited before it was patched.

“A few customers experienced unauthorized transactions on their account and PayPal has issued refunds to these customers,” PayPal said in its notification, a copy of which was submitted to authorities in Massachusetts. 

Advertisement. Scroll to continue reading.

In a statement, PayPal said it notified the roughly 100 customers affected by the incident, but noted that its “systems were not compromised.” 

This contradicts the official notification to affected users, which states that it “terminated the unauthorized access to PayPal’s systems” after detecting the breach. 

SecurityWeek has reached out to PayPal for clarification.

Related: French Government Says 1.2 Million Bank Accounts Exposed in Breach

Related: PayPal Phishing Campaign Employs Genuine Links to Take Over Accounts

Related: Malicious NPM Packages Target Cryptocurrency, PayPal Users

Related Content

Data Breaches

Hackers exploited a zero-day vulnerability in a third-party system to access a KDDI email system for ISPs.

Data Breaches

Hackers accessed the institution’s internal network and deleted two drives containing employee, student, and university data.

Data Breaches

The professional services giant says it contained the incident, remediated its source, and experienced no operational or service delivery impact.

Cybercrime

In April, ShinyHunters accessed the company’s corporate IT systems and stole patients’ personal and medical information.

Data Breaches

Hackers accessed the insurance giant’s policyholder portal multiple times between June 15 and June 25.

Data Breaches

Only a handful of the 100 organizations targeted in the PeopleSoft campaign have been confirmed.

Data Breaches

The ShinyHunters extortion group claims to have stolen 3.1 TB of data from the organization.

Data Breaches

Roughly two dozen companies have notified their customers of the Klue-Salesforce incident impact.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version