PayPal data breach confirmed: Users urged to reset passwords

Renowned online money transfer platform PayPal has confirmed a data breach affecting a small number of users. The breach resulted in unauthorised account activity, prompting forced password resets.

The company notified impacted users via email earlier this month, revealing that notorious malware accessed information related to PayPal Working Capital (PPWC) loan applications, which is believed to be the reason behind some users reporting unfamiliar transactions on their accounts.

Details of PayPal data breach

As noted in the breach notification letters dated February 10, the unauthorised access occurred between July 1, 2025, and December 12, 2025.

The incident was linked to a bug in the PayPal Working Capital loan application system. It shows that the breach was not widespread but rather associated with a specific financial product.

The surprising aspect is that the prolonged exposure of over five months, which has raised significant concerns among users.

According to PayPal, the unauthorised access was identified and terminated following an internal investigation. While the company has not disclosed the specific types of data that it may have lost, it emphasised that its systems remained uncompromised.

Around 100 customers were notified out of caution, something that led to some confusion regarding the nature of the breach.