A simple software bug gave strangers access to Social Security numbers for half a year. PayPal’s Working Capital loan application accidentally left customer data wide open from July through December 2025, proving that coding errors can be just as dangerous as sophisticated hacking attempts.
The Bug That Opened the Vault
Unlike traditional breaches, this vulnerability didn’t require breaking through security walls.
PayPal discovered the exposure on December 12, 2025, and fixed it within 24 hours. But the damage was done—approximately 100 customers had their most sensitive information floating in digital limbo for six months. The exposed data reads like an identity thief’s wishlist:
- Names
- Social Security numbers
- Dates of birth
- Email addresses
- Phone numbers
- Business addresses
Here’s where it gets interesting: PayPal’s systems weren’t actually “compromised” in the traditional sense. Bad actors didn’t need to hack through firewalls or crack encryption. The door was left wide open due to a faulty code in the loan application interface.
When Business Logic Becomes a Security Nightmare
Expert analysis reveals why application-level vulnerabilities pose unique risks.
Security analyst Nick Tausek captured the broader implications perfectly: “When sensitive identity attributes can be reached through an ordinary customer journey, it signals to attackers that the fastest path to payoff is often the business logic itself.” Think of it like a bank vault with a perfectly secure door—except someone accidentally left a window unlocked around back.
Some affected customers did experience unauthorized transactions, though PayPal has issued full refunds. The company is also providing two years of credit monitoring through Equifax, because Social Security numbers don’t expire like compromised passwords.
Pattern Recognition
This marks PayPal’s second major security incident in three years.
This breach follows PayPal’s established playbook of security mishaps. In December 2022, credential stuffing attacks compromised 35,000 accounts—a much larger scope but a different attack vector. That incident earned PayPal a $2 million settlement with New York State in January 2025 for failing to meet cybersecurity requirements.
The narrow scope of this latest breach—affecting just 100 customers out of PayPal’s 434 million users—might seem reassuring. But when you’re dealing with Social Security numbers and business loan applications, scale matters less than severity. Your financial identity doesn’t care about statistical probabilities when it’s your data sitting exposed on someone’s server for six months.
The real question isn’t whether PayPal can fix individual bugs, but whether they can break the cycle of “oops, we did it again,” which is becoming their security signature.
