On February 20th, the payment giant PayPal confirmed that approximately 100 users had been affected by a data breach. An internal investigation by PayPal revealed that “a few customers’ accounts had unauthorized transactions”. Hackers had obtained the commercial and personal information of these users, including their names, social security numbers, and birthdates, over the course of the past six months.
In a statement issued to the media on February 20th, PayPal stated that about “100 customers” were affected, but their system was not breached. The customer information breach by PayPal was first discovered on December 12, 2025. PayPal notified the affected customers on February 10th.
The original text of the notification letter to the affected customers was provided on the official website of the Massachusetts state government. The letter began with the statement: “We take the security of customer information very seriously. We are writing to inform you that some of your personal information has been affected by a cybersecurity incident.”
The letter stated that “some customer data was accessed by unauthorized individuals between July 1, 2025, and December 13, 2025.” The vulnerability was caused by code changes related to PayPal Working Capital, allowing hackers to access user information on the PayPal network. The leaked information included names, social security numbers, birthdates, email addresses, telephone numbers, and business addresses.
According to the PayPal website, PayPal Working Capital provides fast funding services for small businesses. Apart from other criteria, this loan appears to be limited to users registered in the UK with annual PayPal sales of at least £9,000.
On the day after the issue was discovered, December 13, 2025, PayPal terminated unauthorized access to the PayPal system and addressed the code changes that led to the error.
The notification letter from PayPal also mentioned that law enforcement investigations were ongoing, and the notification process was not delayed. PayPal confirmed in the letter that “a few customers’ accounts had unauthorized transactions” but did not provide specific numbers of affected individuals. PayPal stated that after discovering unauthorized access, the passwords of affected accounts were reset, requiring affected users to set a new password on their next login.
The letter also stated that for some unauthorized transactions, PayPal had refunded those customers.
PayPal emphasized in the letter that the company would never ask for usernames, passwords, or one-time verification codes via phone calls, text messages, or emails.
PayPal also advised users to remain vigilant and adopt best security practices, such as immediately changing passwords and security questions in case of suspicious activity, and staying alert to messages creating a sense of urgency or demanding immediate action.