The company rolled back the changes and forcibly reset passwords for the affected accounts.
PayPal Working Capital, a lending service, suffered a data breach. The cause was not hackers, but a programming error by the company. A poorly executed code update allowed unauthorized access to the information for nearly six months.
According to the company , the vulnerability existed from July 1 to December 13, 2025. Researchers discovered the issue on December 12, and the San Jose office sent notifications to affected individuals on February 10, 2026.
When the developers updated the code, the interface began displaying personal data to random users. Specialists reverted the erroneous edits and patched the vulnerability. The police did not require the incident to be kept secret, and management delayed emails to the victims for internal reasons.
Leaked data makes it easy for scammers to impersonate others. Names, email addresses, phone numbers, work addresses, dates of birth, and Social Security numbers have become publicly available. With this information, scammers can more easily apply for loans and defraud people.
Management acknowledges that a small number of customers' money was stolen, but the funds have already been returned. Specialists are currently investigating the incident. The owners of the affected accounts have been asked to reset their passwords; the system will prompt them to set new ones the next time they log in.
As compensation, victims are being offered two years of free credit monitoring through Equifax. The service can be activated using the code in the email until July 31, 2026. Journalists report that approximately 100 notifications have been sent.
If you used a credit service and received a letter, check your transaction history. Be wary of calls and emails asking for your password or one-time code. Customer support never requests such information by phone, text, or email. To protect yourself from fraud, US residents should regularly check their credit reports. If necessary, you can set up free suspicious activity alerts or freeze your credit history through Experian and TransUnion.
PayPal Working Capital, a lending service, suffered a data breach. The cause was not hackers, but a programming error by the company. A poorly executed code update allowed unauthorized access to the information for nearly six months.
According to the company , the vulnerability existed from July 1 to December 13, 2025. Researchers discovered the issue on December 12, and the San Jose office sent notifications to affected individuals on February 10, 2026.
When the developers updated the code, the interface began displaying personal data to random users. Specialists reverted the erroneous edits and patched the vulnerability. The police did not require the incident to be kept secret, and management delayed emails to the victims for internal reasons.
Leaked data makes it easy for scammers to impersonate others. Names, email addresses, phone numbers, work addresses, dates of birth, and Social Security numbers have become publicly available. With this information, scammers can more easily apply for loans and defraud people.
Management acknowledges that a small number of customers' money was stolen, but the funds have already been returned. Specialists are currently investigating the incident. The owners of the affected accounts have been asked to reset their passwords; the system will prompt them to set new ones the next time they log in.
As compensation, victims are being offered two years of free credit monitoring through Equifax. The service can be activated using the code in the email until July 31, 2026. Journalists report that approximately 100 notifications have been sent.
If you used a credit service and received a letter, check your transaction history. Be wary of calls and emails asking for your password or one-time code. Customer support never requests such information by phone, text, or email. To protect yourself from fraud, US residents should regularly check their credit reports. If necessary, you can set up free suspicious activity alerts or freeze your credit history through Experian and TransUnion.
