PayPal Quietly Exposed Small Business Data for 6 Months — Here's What You Need to Know

Published by LAN Services FBG LLC | Cybersecurity for Small Business

If your business has ever used PayPal Working Capital (PPWC) to get a short-term loan, this post is for you. PayPal just disclosed a data breach that sat undetected for nearly six months — and because PPWC is specifically a small business product, the people most at risk are business owners just like the ones we serve here in the Hill Country.

What Happened

PayPal discovered on December 12, 2025 that a coding error inside its Working Capital loan application had been quietly exposing sensitive customer data since July 1, 2025 — a window of roughly 165 days. The flaw wasn't a sophisticated hack. An update to the loan application introduced a bug that accidentally made private customer records visible to unauthorized individuals. No one broke through a firewall. A bad line of code simply left a door propped open for months.

PayPal rolled back the faulty code the day after discovering it and formally notified affected customers via breach notification letters dated February 10, 2026.

What Data Was Exposed

The exposed information is about as sensitive as it gets:

• Full name

• Email address

• Phone number

• Business address

• Social Security number (SSN)

• Date of birth

The combination of SSNs, dates of birth, and business contact details creates a high-risk profile for identity theft, financial fraud, and targeted phishing attacks. A small number of affected customers also reported unauthorized transactions on their accounts — PayPal has issued refunds to those individuals.

Who Was Affected

PayPal says approximately 100 customers were impacted, which is a relatively small number given PayPal's 434 million active users. However, "small number" doesn't mean low stakes for those 100 people. Their most sensitive identifying information is now potentially in criminal hands — and that data doesn't expire.

PayPal Working Capital is designed specifically for small businesses that process sales through PayPal. If you've ever applied for a PPWC loan, check your email for a breach notification letter from PayPal dated around February 10, 2026.

What PayPal Is Doing About It

PayPal has:

• Rolled back the faulty code and terminated unauthorized access

• Reset passwords for affected accounts

• Issued refunds for any unauthorized transactions

• Is offering 2 years of complimentary three-bureau credit monitoring and identity restoration through Equifax Complete Premier to affected customers

If you received a notification, you must enroll in the credit monitoring by June 30, 2026.

What You Should Do Right Now

Whether or not you received a notification, this incident is a good reminder to take a few protective steps:

1. Check for a breach notification email. Look for correspondence from PayPal dated around February 10, 2026 regarding your Working Capital account.

2. Enable credit monitoring. If you were notified, enroll in the free Equifax monitoring immediately. If you weren't notified, consider enrolling in a credit monitoring service anyway — breached data often surfaces on the dark web months after an incident.

3. Watch for phishing attempts. Criminals routinely launch phishing campaigns in the wake of high-profile breaches, impersonating the breached company. PayPal will never ask you for your password, one-time codes, or account credentials via email or phone. If you get a call or email asking for this, it's a scam.

4. Place a credit freeze. If your SSN was exposed, a credit freeze at all three bureaus (Equifax, Experian, TransUnion) is one of the most effective ways to prevent someone from opening credit in your name. It's free and reversible.

5. Review your PayPal account for unusual activity. Log in, check your transaction history, and verify no unauthorized changes have been made to your account settings.

The Bigger Lesson for Small Business Owners

This incident highlights something we talk about constantly: data breaches don't always come from dramatic hacks. Some of the most damaging exposures come from mundane things — a misconfigured application, an untested code update, a process that never got audited. PayPal is a billion-dollar company with a full security team, and they still had a bug sitting undetected for half a year.

For small businesses, the stakes are just as real but the resources are much thinner. That's why having a trusted IT partner who monitors your environment, reviews your software configurations, and keeps your security posture current isn't a luxury — it's protection.

If you're a small business in the Fredericksburg area and want to talk through what your current exposure looks like, reach out to us. We work specifically with small businesses, wineries, and accounting firms to make sure a coding mistake somewhere in your software stack doesn't become a six-month nightmare.

LAN Services FBG LLC is a Managed Service Provider based in Fredericksburg, Texas, specializing in cybersecurity and IT management for small businesses.

Sources: BleepingComputer, Cyber Security News, eSecurity Planet, Cybernews (February 2026), Claude Assisted in writing this article