Skip to content
Data breachContained

Data leak at PayPal: exposure affects PayPal Working Capital customers

PayPal disclosed in February 2026 that a coding error in its PayPal Working Capital (PPWC) business-lending platform exposed the personal data — including names, dates of birth, SSNs and business addresses — of around 100 customers, some of whom in France, for nearly six months.

Victim
PayPal (Business)
records
100

On 20 February 2026, PayPal (Business) — the payments giant's PayPal Working Capital (PPWC) lending arm for small and medium businesses — confirmed a data leak affecting a small number of borrower accounts, including customers in France. The exposure stemmed not from an external intrusion but from a defective code change in the PPWC loan application.

The faulty code left customer personal information accessible from 1 July 2025 through 13 December 2025 — a window of nearly six months — before PayPal detected the issue, rolled back the change and terminated the unauthorized access. The company estimated that roughly 100 customers were affected. A few of those customers experienced fraudulent transactions on their accounts, for which PayPal issued refunds.

Exposed data categories included:

  • Full names
  • Dates of birth
  • Email addresses
  • Phone numbers
  • Business addresses
  • Social Security Numbers (SSNs)

PayPal sent breach-notification letters dated 10 February 2026, reset affected customers' passwords, and offered two years of complimentary three-bureau credit monitoring and identity-restoration services (Equifax Complete Premier), with enrollment open until 30 June 2026. The flawed code has been remediated and the unauthorized access closed, leaving the incident contained.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-02-20-paypal-entreprise
  2. securityweek.comhttps://www.securityweek.com/paypal-data-breach-led-to-fraudulent-transactions/
  3. privacyguides.orghttps://www.privacyguides.org/news/2026/02/27/data-breach-roundup-feb-20-feb-26-2026/

Related incidents

Data breachUnknown

23,685 records: claimed leak at ATOA

A threat actor put a database from ATOA — a French real-estate tokenization and fractional-investment fintech — up for sale on a dark web forum, exposing roughly 23,685 user and financial records plus 326 full KYC archives containing passports, ID cards and banking details.

Victim
ATOA
Records
23.7K