Products are selected by our editors, we may earn commission from links on this page.
PayPal has confirmed a data breach that quietly exposed customer information for nearly six months. Some users discovered unauthorized transactions on their accounts. Passwords have been forcibly reset. If you use PayPal, especially for business, this is something you cannot afford to ignore. The full story is more complicated than it first appears.
A Hacker Had Access for Almost Six Months
The breach began on July 1, 2025, and wasn’t detected until December 12, 2025 — a window of over five months. It was tied to a bug in PayPal’s Working Capital loan application system. Breach notification letters, dated February 10, were sent to affected users. The timeline alone has raised serious questions about how long it went unnoticed.
Only 100 Users Were Notified
PayPal says approximately 100 customers were potentially impacted and contacted “out of caution.” That number sounds reassuring until you see what was exposed: names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth. For small business owners, especially, that combination of data is a goldmine for targeted scams and identity theft.
Money Was Actually Stolen
This wasn’t just a data exposure. PayPal confirmed that “a few customers experienced unauthorized transactions on their account.” The company has since issued refunds to those affected. It’s a rare admission. Companies don’t always own up to financial losses tied to breaches. But the acknowledgment raises the next uncomfortable question: how did it happen in the first place?
A “Code Change”
PayPal attributed the breach to “a code change” in its Working Capital loan system. A company spokesperson stated: “PayPal’s systems were not compromised.” Yet the breach notification itself said the company “terminated the unauthorized access to PayPal’s systems.” That contradiction hasn’t been publicly resolved. Forbes contributor Davey Winder, who verified the notification letter, noted the disparity and is awaiting clarification.
This Is Not PayPal’s First Security Crisis
PayPal has faced repeated security threats in recent years. In 2023, nearly 35,000 accounts were accessed through credential stuffing attacks. In late 2025, hackers exploited PayPal’s own billing infrastructure to deliver phishing messages. A spokesperson told Forbes at the time: “PayPal does not tolerate fraudulent activity.” The pattern, however, suggests the platform remains a high-value target for cybercriminals worldwide.
Your Account Password May Already Be Reset
If you were among those affected, PayPal has already reset your account password, meaning your next login will prompt you to create a new one. The company is also offering two years of free credit monitoring and identity restoration services through Equifax to impacted users. It’s a standard response, but one worth taking seriously given the sensitivity of the exposed data.
What PayPal Is Telling Users to Do Right Now
PayPal’s breach notification urged users to use unique passwords for every site, avoid clicking links in emails, and never share login credentials over calls or messages. It also reminded users: “PayPal will never ask you for your password or a one-time code.” Security experts add one more tip PayPal didn’t mention: enable a passkey on your account wherever the option is available.
Small Businesses Face the Biggest Risk Going Forward
While the breach directly affected around 100 users, the exposed data creates downstream risks for many more. Cybercriminals can use names, phone numbers, and Social Security numbers to craft convincing, personalized phishing attacks. Small businesses are especially vulnerable. Winder warned that even those not directly impacted should review their PayPal security settings immediately. A few minutes now could prevent a much bigger problem later.
What This Breach Tells Us About Digital Financial Safety
PayPal acted, but it took six months to catch the intrusion. That delay is the real story. In an age where financial data moves instantly, security must too. Whether or not you received a notification, this is a timely reminder: review your accounts, strengthen your passwords, and stay skeptical of urgent messages. Breaches like this will keep happening. Being prepared is the only reliable defense.