"Notification letters sent to impacted individuals revealed that the cybersecurity incident was caused by an error in the PayPal Working Capital (PPWC) loan application. Due to the error, the personal information of a "small number of customers" was exposed for nearly six months, between July 1 and December 13, 2025. Exposed information included names, email addresses, dates of birth, phone numbers, and business addresses combined with SSNs."
"The code that had introduced the error was rolled back and the affected customers' passwords were reset. However, the vulnerability was exploited before it was patched. "A few customers experienced unauthorized transactions on their account and PayPal has issued refunds to these customers," PayPal said in its notification, a copy of which was submitted to authorities in Massachusetts. In a statement to the media, PayPal said it notified the roughly 100 customers affected by the incident,"
A code error in the PayPal Working Capital (PPWC) loan application exposed the personal information of a small number of customers between July 1 and December 13, 2025. Exposed data included names, email addresses, dates of birth, phone numbers, business addresses, and combinations with Social Security numbers. The vulnerable code was rolled back and affected customers' passwords were reset after detection. The vulnerability was exploited before the patch, and a few customers experienced unauthorized transactions that were refunded. PayPal notified roughly 100 impacted customers and submitted a notification copy to Massachusetts authorities. PayPal stated its systems were not compromised while also noting it terminated unauthorized access.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]