- Today
- Holidays
- Birthdays
- Reminders
- Cities
- Atlanta
- Austin
- Baltimore
- Berwyn
- Beverly Hills
- Birmingham
- Boston
- Brooklyn
- Buffalo
- Charlotte
- Chicago
- Cincinnati
- Cleveland
- Columbus
- Dallas
- Denver
- Detroit
- Fort Worth
- Houston
- Indianapolis
- Knoxville
- Las Vegas
- Los Angeles
- Louisville
- Madison
- Memphis
- Miami
- Milwaukee
- Minneapolis
- Nashville
- New Orleans
- New York
- Omaha
- Orlando
- Philadelphia
- Phoenix
- Pittsburgh
- Portland
- Raleigh
- Richmond
- Rutherford
- Sacramento
- Salt Lake City
- San Antonio
- San Diego
- San Francisco
- San Jose
- Seattle
- Tampa
- Tucson
- Washington
PayPal Exposes Customers' Social Security Numbers in 6-Month Data Breach
A software bug left sensitive customer data vulnerable, highlighting the risks of coding errors.
Published on Feb. 23, 2026
Got story updates? Submit your updates here. ›
PayPal discovered a vulnerability in its Working Capital loan application that exposed the Social Security numbers, dates of birth, email addresses, and other personal information of approximately 100 customers for six months from July through December 2025. Unlike a traditional data breach, this issue was caused by a simple coding error rather than a cyberattack, demonstrating how software bugs can be just as dangerous as sophisticated hacking attempts.
Why it matters
This incident underscores the significant risks posed by application-level vulnerabilities, where sensitive data can be accessed through ordinary customer journeys. Even when security walls are strong, coding errors can leave the 'back door' wide open for bad actors to exploit. The exposure of Social Security numbers is particularly concerning, as this information cannot be easily changed like compromised passwords.
The details
The bug was discovered on December 12, 2025, and fixed within 24 hours. However, the damage was already done, as customer data had been exposed for six months. In addition to Social Security numbers, the exposed information included names, dates of birth, email addresses, phone numbers, and business addresses. While PayPal has issued refunds for any unauthorized transactions and is providing two years of credit monitoring, the long-term impact on affected customers' financial identities remains a concern.
- The vulnerability existed in PayPal's Working Capital loan application from July through December 2025.
- PayPal discovered the issue on December 12, 2025, and fixed it within 24 hours.
The players
PayPal
An American digital payments company that operates an online payments system in numerous countries around the world.
Nick Tausek
A security analyst who commented on the broader implications of application-level vulnerabilities.
What they’re saying
“When sensitive identity attributes can be reached through an ordinary customer journey, it signals to attackers that the fastest path to payoff is often the business logic itself.”
— Nick Tausek, Security Analyst (gadgetreview.com)
What’s next
PayPal is providing two years of credit monitoring through Equifax for the affected customers, as Social Security numbers cannot be easily changed like compromised passwords.
The takeaway
This breach highlights the significant risks posed by coding errors, which can be just as dangerous as sophisticated cyberattacks. It underscores the need for companies to prioritize application-level security and thoroughly test their systems to identify and address any vulnerabilities that could expose sensitive customer data.
New York top stories
New York events
Mar. 9, 2026
Banksy Museum - Flexiticket
Mar. 9, 2026
The Great Gatsby
Mar. 9, 2026
The Play That Goes Wrong