A software security flaw in PayPal’s loan app leaked customer data for 6 months, forcing the payment giant to issue refunds after unauthorized transactions occurred in some affected accounts.
Upon learning of the data breach on December 12, 2025, PayPal immediately fixed the software error, revoked the threat actor’s access, and launched an investigation.
PayPal loan app security flaw leaks customer data
PayPal’s investigation determined that, since July 1, 2025, the loan app security breach leaked customers’ names, email addresses, phone numbers, dates of birth, business addresses, and Social Security numbers.
“On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (“PPWC”) loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025,” the payment giant stated.
PPWC is a merchant cash advance (MCA) loan app offering quick and flexible financing for small businesses of up to $300,000 for repeat borrowers based on their PayPal cash flow, often deducting a percentage from their PayPal sales.
According to its press statement, PayPal Business Loan and PayPal Working Capital have extended over $30 billion in loans to over 420,000 businesses worldwide since 2013.
PayPal says the customer data leak affected 100 loan app users, and its internal systems were unaffected. The payment giant also says it has notified the impacted users and will initiate a password reset for all affected accounts during their next login.
“Even if the impacted population of the breach is limited to roughly 100 customers, the sensitivity of the data raises the likelihood of identity theft, synthetic identity fraud, and highly targeted social engineering against small businesses,” said Andrew Costis, Manager of the Adversary Research Team at AttackIQ. “The longer that attackers are able to remain undetected within networks, the greater the likelihood of credential exposure becomes. The bigger implication for organizations is operational, as a single code change in a customer-facing workflow can silently bypass expected access controls and monitoring for months.”
PayPal issues refunds after customer data leak results in unauthorized transactions
PayPal has disclosed that the attacker made unauthorized transactions on a subset of customer accounts, prompting the payment giant to issue refunds.
“A few customers experienced unauthorized transactions on their account and PayPal has issued refunds to these customers,” PayPal wrote.
Additionally, the payment giant is offering two years of free credit monitoring and identity restoration services through Equifax, with affected users required to sign up by June 30, 2026, to benefit from the service.
Similarly, impacted users should monitor their financial and credit card reports for suspicious activity and report any anomalies to PayPal, their financial institutions, and relevant authorities. The payment processor also advised customers that it does not request sensitive customer data, including account usernames, passwords, two-factor authentication codes, credit cards, or other financial and authentication details via call, text, or email. Victims should also use strong and unique passwords and enable multi-factor authentication.
“This incident is a classic example of how ‘application logic flaws’ can be just as damaging as external hacks. When sensitive financial workflows like loan applications are misconfigured, attackers don’t need sophisticated malware, they simply exploit business logic errors,” stated Ensar Seker, CISO at SOCRadar. “The six-month exposure window is particularly concerning because it suggests monitoring and anomaly detection controls were either insufficient or not tuned to detect misuse at the application layer.”
Recently, the prolific cybercrime gang ShinyHunters has targeted dozens of organizations to steal login credentials and multifactor authentication codes via voice phishing. The hacking group was attributed to the social engineering attack on the identity management company Okta that affected streaming website SoundCloud, investment platform Betterment, and business intelligence service CrunchBase.
Meanwhile, PayPal has experienced similar customer data breaches in the past. Between December 6 and December 8, 2022, a massive credential stuffing attack hit the payment processor, compromising 35,000 accounts and resulting in a $2 million settlement with the state of New York.
