PayPal Confirms Data Breach: Customer Money Stolen, Passwords Forcefully Reset
PayPal has officially confirmed a significant data breach that exposed sensitive personal information belonging to users of its PayPal Working Capital (PPWC) loan program, leading to unauthorized transactions and a mass password reset initiative.
The breach, which went undetected for nearly six months, allowed a hacker to maintain access to specific PayPal systems from July 1, 2025, until December 12, 2025, when the company finally discovered the security incident.
According to breach notification letters sent to impacted users—dated February 10 and reviewed by Forbes—the intrusion was tied to “an error in its PayPal Working Capital loan application” process.
What Data Was Exposed?
While PayPal initially stated the breach affected only a subset of users, the information accessed is highly sensitive. The threat actor potentially gained access to:
· Full Names
· Email Addresses
· Phone Numbers
· Business Addresses
· Social Security Numbers
· Dates of Birth
Unauthorized Transactions and Refunds
In a concerning development, PayPal confirmed that “a few customers experienced unauthorized transactions on their account” as a result of the breach. The company states it has already issued full refunds to those specific customers, though it has declined to specify the number of accounts affected or the nature of the fraudulent transactions.
Company Response: Passwords Reset
PayPal has terminated the hacker’s access to its systems. Affected users will be required to reset their passwords upon their next login attempt.
In an effort to mitigate potential identity theft, PayPal is offering two years of complimentary credit monitoring and identity restoration services through Equifax to all impacted individuals.
Clarification on System Compromise
Following the publication of this report, a PayPal spokesperson provided a statement to Forbes: “When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.”
Forbes has sought further clarification regarding the apparent discrepancy between the statement claiming systems were “not compromised” and the official notification letter, which explicitly stated that PayPal had “terminated the unauthorized access to PayPal’s systems.”
Advice for Users
Although the breach appears limited to PPWC loan applicants, PayPal urges all customers to remain vigilant. Users are advised to review their account information and transaction histories carefully for any suspicious activity.
About The Author
