Has PayPal been hacked? No, a programming error exposed users’ personal information

When discussing exposure of financial data, thoughts immediately turn to complex attacks or to international criminal networks. However, the recent anomaly involving PayPal demonstrates how, at times, the privacy threat stems from banal human errors.

The California-based company recently informed a small group of its own customers about a leak of sensitive personal information.

The triggering cause was not an external intrusion into the security systems, but a code update that generated unintended and undesirable effects.

A company spokesperson noted that the IT infrastructures have not suffered any compromise, explaining that the notification to users was sent in strict compliance with current transparency regulations, to ensure maximum awareness of the incident.

PayPal slip-up, the incident dynamics and the data involved

The origin of the service disruption lies in a programming error within the application tied to corporate lending, known as PayPal Working Capital.

According to the official communications sent on February 10 to the data subjects, the flaw remained silent but active for a rather extended period, spanning July 1 to December 13 2025.

During these months, the software defect inadvertently made accessible the company contact information and the personal data of service subscribers.

The extent of exposed details includes full names, dates of birth, physical and electronic addresses, phone numbers and, even more sensitive, social security numbers. The anomaly was definitively identified by the technicians on December 12, 2025, prompting management to act immediately to contain the issue.

Containment measures and customer protection

As soon as the error emerged from routine checks, the digital payments platform promptly launched a thorough investigation, preemptively blocking any access deemed suspicious.

From a strictly technical standpoint, the company has rolled back the code modification responsible for the vulnerability, restoring a stable and secure version of the infrastructure.

Operationally, the systems have forced password resets for all affected accounts, requiring users to create new credentials at their first login attempt after the intervention.

Although the affected user base stands at around a hundred individuals, a small fraction of these people experienced unauthorized transactions on their accounts.

To address this issue, the company has already fully reimbursed the amounts stolen and has offered free to all victims a credit monitoring service lasting two years to protect them from possible future identity theft.