Why did PayPal leak SSNs?

A buggy loan app exposed sensitive customer data

A defect in PayPal’s PayPal Working Capital loan application system caused certain customer fields to be exposed for roughly six months. The flaw made personal information—including email addresses and, in some cases, Social Security numbers—available in ways it should not have been, and PayPal has begun notifying affected users.

PayPal’s disclosure indicates the problem originated in application code tied to its loan product rather than a wider platform breach. The company told customers that about 100 accounts were contacted as part of the notification and that a small number of those users saw unauthorized transactions tied to the exposure. No wider, company‑wide data leak has been reported in connection with this software error.

What happened in practice:

• Internal application code exposed fields it should have kept private.
• The exposure persisted for months before being fixed.
• Affected customers received notifications and some reported account misuse.

Why this matters: financial services hold highly sensitive identifiers that enable identity theft. When loan or payments workflows mishandle data, the consequences extend beyond immediate account fraud to potential long‑term identity compromise. The incident underscores the challenge of securing complex, interconnected financial products where a single coding mistake can leak personally identifiable information.

What users should do: monitor account statements, enable two‑factor authentication, and consider placing fraud alerts if Social Security numbers were exposed. For companies, this episode is a reminder that security testing and data‑handling checks must be embedded across product teams, especially for services that touch sensitive identity data.