By Jack Phillips
PayPal has notified customers that it discovered a breach in its PayPal Working Capital service that could have led to fraudulent transactions.
The personal information of a “small number of customers” was exposed from July 1, 2025, to Dec. 13, 2025, according to a letter the payment processing company sent to customers this month.
Information that could have been exposed included names, business addresses, Social Security numbers, email addresses, birth dates, and phone numbers, according to PayPal.
“A few customers experienced unauthorized transactions on their account and PayPal has issued refunds to these customers,” PayPal wrote in the Feb. 10 letter that was submitted to officials in Massachusetts on Feb. 19.
PayPal did not say how many customers were impacted or how many fraudulent transactions were carried out. It said that it has “since rolled back the code change responsible for this error, which potentially exposed” personally identifying information of the customers.
“We have not delayed this notification as a result of any law enforcement investigation,” it said.
PayPal said it was alerted to “unauthorized activity,” began investigating, and subsequently terminated unauthorized access to the company’s systems.
“We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account if you have not already done so,” PayPal said. “A few customers experienced unauthorized transactions on their account and PayPal has issued refunds to these customers.”
In response to the breach, PayPal said it would offer two years of credit monitoring and identity restoration services to affected customers, which it said is free of charge. Free credit monitoring services are also being offered via the Equifax credit bureau, but customers must enroll by June 30 of this year, it said.
In the letter, PayPal urged customers to remain vigilant and review “account information, transaction history, and free credit reports for any suspicious activity.”
Any fraudulent transactions should be reported to the company, it said.
On its website, PayPal says people should call the company to report any unauthorized account access. Customers are advised to use a unique username and password for websites and services, check for any possible phishing attacks in emails they receive, and not to click on links if they are unsure of their legitimacy, according to the letter.
“If you are unsure or want to confirm the authenticity of urgent messages, you should visit paypal.com separately and access your PayPal account to view any messages. PayPal will never ask you to provide the username and password of your PayPal account or any authentication factors, such as a one-time code, over a call, text, or an email message,” it said.
It’s not the first PayPal data breach. In 2023, the California-based company notified around 35,000 customers of a data breach that exposed Social Security numbers and other personal information.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” PayPal said at the time.
The Epoch Times contacted PayPal on Feb. 24 for additional comment but did not receive a response by publication time.
