Data leak at PayPal: exposure affects PayPal Working Capital customers
PayPal disclosed in February 2026 that a coding error in its PayPal Working Capital (PPWC) business-lending platform exposed the personal data — including names, dates of birth, SSNs and business addresses — of around 100 customers, some of whom in France, for nearly six months.
- Victim
- PayPal (Business)
- records
- 100
On 20 February 2026, PayPal (Business) — the payments giant's PayPal Working Capital (PPWC) lending arm for small and medium businesses — confirmed a data leak affecting a small number of borrower accounts, including customers in France. The exposure stemmed not from an external intrusion but from a defective code change in the PPWC loan application.
The faulty code left customer personal information accessible from 1 July 2025 through 13 December 2025 — a window of nearly six months — before PayPal detected the issue, rolled back the change and terminated the unauthorized access. The company estimated that roughly 100 customers were affected. A few of those customers experienced fraudulent transactions on their accounts, for which PayPal issued refunds.
Exposed data categories included:
- Full names
- Dates of birth
- Email addresses
- Phone numbers
- Business addresses
- Social Security Numbers (SSNs)
PayPal sent breach-notification letters dated 10 February 2026, reset affected customers' passwords, and offered two years of complimentary three-bureau credit monitoring and identity-restoration services (Equifax Complete Premier), with enrollment open until 30 June 2026. The flawed code has been remediated and the unauthorized access closed, leaving the incident contained.
Sources
- fuitesinfos.frhttps://fuitesinfos.fr/article/2026-02-20-paypal-entreprise
- securityweek.comhttps://www.securityweek.com/paypal-data-breach-led-to-fraudulent-transactions/
- privacyguides.orghttps://www.privacyguides.org/news/2026/02/27/data-breach-roundup-feb-20-feb-26-2026/