PayPal Links Minor Data Breach and Fraud to App Coding Mistake

PayPal, a leading financial services company, has acknowledged a data breach lasting six months that compromised personal information of certain business clients, which subsequently resulted in fraudulent activity. Around 100 customers were reported to have been impacted by this incident, attributed to a coding error within the PayPal Working Capital application designed to assist businesses with loans up to $300,000.

The California-based fintech giant processed an impressive $1.7 trillion in 2024 and claimed a remarkable 434 million active accounts, boasting a net revenue of $31.8 billion, as outlined in its latest annual report. “When a potential exposure of customer data arises, PayPal is mandated to inform those affected,” a company statement noted. “In this case, our systems remained intact, and we proactively reached out to the approximately 100 customers potentially impacted by this exposure.”

On February 10, affected customers received breach notifications that detailed the prompt response to unauthorized activities identified by the company, which included initiating an investigation and terminating the unauthorized access to their systems. Furthermore, the company reset passwords for the affected accounts and introduced enhanced security measures requiring new password setups for logging in.

PayPal reported the initial identification of the underlying coding error on December 12, 2025, with the data exposure occurring from July 1 to December 13 of the previous year. The breached information included vital personal details such as business account holders’ names, email addresses, phone numbers, Social Security numbers, and dates of birth.

In response to the breach, PayPal reverted the code changes that led to this vulnerability. Affected customers with unauthorized transactions have been refunded. However, the company has yet to clarify whether the unauthorized transactions were due to exposed passwords or other factors.

As a further safety measure, PayPal is proactively providing all impacted customers with two years of complimentary identity theft monitoring. This incident marks the second data breach for PayPal; in January 2023, the firm notified nearly 35,000 customers about account accesses by attackers during a three-day period in December 2022. During that breach, attackers likely utilized phishing techniques to acquire login credentials.

The MITRE ATT&CK framework identifies various tactics that may apply to this incident, including initial access through social engineering and possible execution methods via exploitation of application vulnerabilities. Despite the swift responses from PayPal, the risk posed by such breaches underlines the need for robust security practices, such as implementing multifactor authentication, to mitigate potential threats in today’s digital landscape.