Millions of users are facing a digital nightmare after a significant security failure exposed sensitive personal details. This latest vulnerability has allowedhackersto bypass standard protections, putting both private identities and bank balances at immediate risk. As investigators look into the breakdown, the full scale of the financial impact is only just beginning to surface.

PayPalhas begun notifying customers via email about a system compromise that allowed a malicious party to view sensitive data. After breaking into the internal network, this intruder triggered fraudulent payments for certain customers and forced a widespread update of login credentials.

Official alerts from the firm,reviewedby Forbes' Senior Contributor, Davey Winder, reveal that a security lapse compromised certain accounts starting on 1 July 2025. This intruder seemingly maintained a presence within the internal network for months until the company finally identified the activity on 12 December 2025.

Alerts sent out on 10 February state that the vulnerability affected specific customers 'due to an error in its PayPal Working Capital (PPWC) loan application.'

Even as the situation unfolds, it is still unclear how the intruder managed to move through the network. The company has only vaguely blamed a 'code change.' However, a PayPal representative offered this explanation to Forbes: 'When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal's systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.'

It is still unclear why the company claims its systems were not compromised, while the official notification states that an investigation led the firm to 'terminated the unauthorised access to PayPal's systems.'

ThePayPalnotification states, 'Upon learning about this unauthorised activity, we promptly began an investigation and took action to address this incident, including by taking steps to prevent unauthorised actors from obtaining further personal information.'

PayPal has disclosed a data breach that exposed sensitive personal information of a small number of customers for nearly six months in 2025.A coding error exposed personal information, including names, email addresses, phone numbers, business addresses, Social Security numbers,…pic.twitter.com/6TGaczRAhj

Questions remain about why the company's security department took six months to identify the breach, particularly given the extensive window of opportunity this provided for malicious activity. While the alert confirms a significant delay in detection, the relatively small number of affected accounts suggests the impact could have been far more severe had the vulnerability remained open.

Current findings indicate that the following data points were potentially accessed during the incident:

Source: International Business Times UK