PayPal has confirmed that the data exposure incident affected a small group of its users which led to unauthorized activity and mandatory password resets.
According to official breach notification letters sent to affected customers, the issue dates back to July 1, 2025, when a flaw in the PayPal Working Capital (PPWC) loan application system inadvertently allowed unauthorized access to certain PayPal accounts.
This situation went unnoticed until December 12, 2025, when PayPal identified and contained the problem.
The company said the exposure was largely linked to a software error rather than a large-scale external hack, and that its core systems were not directly 'compromised' in the traditional sense.
Nevertheless, the glitch inadvertently exposed some customers' personal information, including names, email addresses, phone numbers, business addresses, dates of birth, and Social Security numbers.
PayPal reports that approximately 100 customers received notifications of the breach and were affected by the incident.
Also Read: Why Nigerians should think twice before adopting PayPal
Some of these accounts also showed unauthorized transactions, although PayPal confirms that refunds have already been issued to those customers.
As part of its response, PayPal has eliminated the unauthorized access and removed the faulty code that caused the exposure.
Passwords for the affected accounts have been reset and users will need to select new credentials the next time they try to log in.
Also read: PayPal goes live in Nigeria to boost international Naira payments
The company is providing two years of free credit monitoring and identity restoration services through Equifax to those affected.
PayPal urged all users to remain vigilant, regularly check their account transactions, monitor their credit reports, and be wary of phishing attempts or suspicious messages.
