PayPal Security Breach: Millions at Risk

Millions of users are facing a digital nightmare after a significant security failure exposed sensitive personal details. This latest vulnerability has allowed hackers to bypass standard protections, putting both private identities and bank balances at immediate risk. As investigators look into the breakdown, the full scale of the financial impact is only just beginning to surface.

PayPal has begun notifying customers via email about a system compromise that allowed a malicious party to view sensitive data. After breaking into the internal network, this intruder triggered fraudulent payments for certain customers and forced a widespread update of login credentials.

Official alerts from the firm, reviewed by Forbes’ Senior Contributor, Davey Winder, reveal that a security lapse compromised certain accounts starting on 1 July 2025. This intruder seemingly maintained a presence within the internal network for months until the company finally identified the activity on 12 December 2025.

Vulnerability Traced Back to Loan Applications

Alerts sent out on 10 February state that the vulnerability affected specific customers ‘due to an error in its PayPal Working Capital (PPWC) loan application.’

Even as the situation unfolds, it is still unclear how the intruder managed to move through the network. The company has only vaguely blamed a ‘code change’. However, a PayPal representative offered this explanation to Forbes: ‘When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.’

Conflicting Reports Over System Integrity

It is still unclear why the company claims its systems were not compromised, while the official notification states that an investigation led the firm to ‘terminated the unauthorised access to PayPal’s systems.’

The PayPal notification states, ‘Upon learning about this unauthorised activity, we promptly began an investigation and took action to address this incident, including by taking steps to prevent unauthorised actors from obtaining further personal information.’

PayPal has disclosed a data breach that exposed sensitive personal information of a small number of customers for nearly six months in 2025.

A coding error exposed personal information, including names, email addresses, phone numbers, business addresses, Social Security numbers,… pic.twitter.com/6TGaczRAhj

— Pirat_Nation 🔴 (@Pirat_Nation) February 22, 2026

Questions remain about why the company’s security department took six months to identify the breach, particularly given the extensive window of opportunity this provided for malicious activity. While the alert confirms a significant delay in detection, the relatively small number of affected accounts suggests the impact could have been far more severe had the vulnerability remained open.

What Information Was Compromised?

Current findings indicate that the following data points were potentially accessed during the incident:

• Full names
• Email addresses
• Phone numbers
• Registered business addresses
• Social Security numbers
• Dates of birth

Emergency Resets and Credit Monitoring

The company also confirmed that a small group of users experienced fraudulent charges. It is now known that the scale of this was limited, with a spokesperson confirming to Forbes that roughly 100 individuals were affected. Management has already processed refunds for every customer who suffered a financial loss.

The company has confirmed that it blocked the intruder’s access and reset the affected users’ passwords, who should have already been notified via email. As a result, users may be prompted to create new login credentials during their next visit to the site.

To help mitigate the risk, PayPal is providing two years of free credit monitoring and identity restoration through Equifax—a gesture that may offer little peace of mind to those whose sensitive data was exposed for months.

Recommended Steps for Users

To mitigate the risk of identity theft and financial loss, it is advisable for those affected to take the following precautions:

• Enroll in credit monitoring: Impacted individuals should take advantage of the firm’s 2-year free monitoring to track any suspicious changes to their credit files.
• Request fraud alerts or credit freezes: For added security, users can contact credit agencies to place a freeze on their credit reports, which prevents unauthorised parties from opening new accounts in their name, according to a McAfee report.
• Refresh login credentials: It is vital to update passwords not only for the compromised service but also for any other financial platforms, ensuring each account uses a unique, complex password.
• Exercise caution with messages: According to the Information Commissioner’s Office (ICO), users should remain wary of unexpected emails or texts, particularly those that request sensitive details or include links, as hackers often use compromised data to craft convincing phishing scams.

As the investigation into this security lapse continues, the incident serves as a stark reminder of the risks inherent in digital finance. While the number of affected users remains low, the sensitivity of the exposed data highlights the need for constant vigilance. For now, those affected by the breach should act quickly to secure their accounts and monitor their financial statements for any further signs of trouble.

Originally published on IBTimes UK