PayPal’s ‘bad code’ leads to unauthorized payments-amtomessage

webadmin

2026-02-24

PayPal’s ‘bad code’ leads to unauthorized payments

Key insights: PayPal suffered a breach due to a faulty code in its small-business lending group.
What’s at stake: The breach comes as PayPal attempts to recover from an earnings slump.
Forward look: PayPal has refunded the stolen funds and offered two years of free credit monitoring.

PayPal has spent the past few weeks cleaning up after a data breach caused some customers to lose funds to hackers.

PayPal’s Feb. 10 breach disclosure letter said that on Dec. 12, the company discovered a coding error in its PayPal Working Capital system, resulting in the exposure of personally identifiable information of some customers between July 1 and Dec. 13. This information included some combination of names, email addresses, phone numbers, businesses addresses, Social Security numbers and dates of birth.

“Sadly, these types of breaches are not unique, and it seems in recent times that lenders and lending platforms are increasingly targeted, perhaps for the treasure-trove of sensitive data loan applications contain,” Tracy Goldberg, director of cybersecurity at Javelin Strategy & Research, told American Banker.

PayPal’s letter said “a few” customers experienced unauthorized transactions on their account, adding the company has issued refunds to those customers and offered two free years of credit monitoring through Experian. It also implemented “advanced” security controls and reset the passwords of the affected customers. These customers will be required to change their passwords upon their next login.

The breach was tied to PayPal Working Capital, a business-facing unit that offers credit to mostly small businesses. PayPal Working Capital plays a role in how PayPal competes with banks, with a particular focus on businesses where banks are reducing their presence. More than half of Working Capital and PayPal Business loans go to small businesses in ZIP codes where more than 10 bank branches closed during the early 2020s, according to PayPal. PayPal and rivals such as Square offer loans to businesses based on a percentage of future payment flows, which the fintechs contend enables them to make loans to small businesses faster than banks.

Small business lending is also part of a revenue diversification and small business relationship strategy as PayPal tries to improve financial performance in the wake of slower growth in its core branded checkout business, a slump that recently led PayPal to fire CEO Alex Chriss and name former HP and PayPal board member Enrique Lores as its new CEO, effective March 1.

Given the corporate churn, a security setback comes at an inopportune time. PayPal did not release the exact number of victims or a financial amount for losses due to the breach. “When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter,” a PayPal spokesperson told American Banker. PayPal is based in San Jose, Calif., where state law requires businesses and government agencies to report data breaches affecting more than 500 residents within 30 days of the discovery. It’s unclear how many affected customers are California residents.

PayPal is also not the only financial-technology company to suffer a recent data breach. Blockchain lender Figure Technology Solutions earlier this year reported a leak that exposed 1 million customer accounts, with a cybercriminal group called ShinyHunters claiming responsibility. ShinyHunters uses social engineering to trick staff into enabling access.

ShinyHunters also claimed responsibility for a data breach at fintech Betterment, which exposed data for about 1.4 million consumers.

While seeing names, usernames, email addresses, mobile phone numbers, Social Security numbers, and dates of birth compromised is not unique, what is concerning about the PayPal breach is that all of that personally identifiable information, or PII, was coupled with sensitive information about business clients as well, according to Goldberg.

“What’s more, when all of this information is stolen, pre-bundled, it makes the job of the cybercriminal much easier, since bits of PII have already been sorted and correlated, as it were,” Goldberg said. “With this type of bundled PII, the sale of all of this bundled data is very profitable on the dark web and makes it much easier for cybercriminals to perpetuate new account fraud and account takeover fraud, which remains financial institutions’ leading fraud risk.”

Your email address will not be published. Required fields are marked *

PayPal’s ‘bad code’ leads to unauthorized payments

PayPal’s ‘bad code’ leads to unauthorized payments

Leave a Comment