PayPal app code error leaked personal info and a 'few' unauthorized transactions
(2026/02/20)
- Reference: 1771625432
- News link: https://www.theregister.co.uk/2026/02/20/paypal_app_code_error_leak/
- Source link:
PayPal has notified about 100 customers that their personal information was exposed online during a code change gone awry, and in a few of these cases, people saw unauthorized transactions on their accounts.
All of these customers have been fully refunded, according to a PayPal spokesperson.
"When there is a potential exposure of customer information, PayPal is required to notify affected customers," the spokesperson told The Register . "In this case, PayPal's systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter."
[1]
According to a February 10 data breach notification sent to affected customers and shared with The Register , the online payment company spotted the unauthorized activity on December 12. It was due to a coding error in its PayPal Working Capital loan application that inadvertently leaked customers' business contact information - including names, Social Security numbers, dates of birth, email addresses, phone numbers, and business addresses - between July 1, 2025, and December 13, 2025.
[2]
[3]
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII," the [4]letter said [PDF].
[5]PayPal says crooks poked around 35,000 accounts in credential stuffing attack
[6]Euro banks block billions in rogue PayPal direct debits after fraud glitch
[7]Crims hit a $20M jackpot via malware-stuffed ATMs
[8]ShinyHunters demands $1.5M not to leak Vegas casino and resort chain data
As soon as it noticed the leak and fraudulent transactions, PayPal says it began an investigation and blocked the unauthorized access, resetting passwords of affected accounts and requiring customers to set a new password the next time they log in.
"A few customers experienced unauthorized transactions on their account and PayPal has issued refunds to these customers," according to the notification.
The company is also offering affected customers two years of free credit monitoring.
[9]
This data incident follows an earlier - and much worse - PayPal breach that also occurred in December, during which "unauthorized parties" accessed customers' accounts using their valid login credentials.
In that 2022 security snafu, personal info belonging to [10]35,000 PayPal users was exposed including customers' names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth. ®
Get our [11]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZjnjhdzBnmiQlgA9oJndgAAAco&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZjnjhdzBnmiQlgA9oJndgAAAco&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZjnjhdzBnmiQlgA9oJndgAAAco&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://regmedia.co.uk/2026/02/20/paypal_february_2026_breach_notification.pdf
[5] https://www.theregister.com/2023/01/19/paypal_data_breach/
[6] https://www.theregister.com/2025/08/28/euro_banks_block_paypal_direct_debits/
[7] https://www.theregister.com/2026/02/19/crims_atm_jackpotting/
[8] https://www.theregister.com/2026/02/20/shinyhunters_wynn_resorts/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZjnjhdzBnmiQlgA9oJndgAAAco&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2023/01/19/paypal_data_breach/
[11] https://whitepapers.theregister.com/
All of these customers have been fully refunded, according to a PayPal spokesperson.
"When there is a potential exposure of customer information, PayPal is required to notify affected customers," the spokesperson told The Register . "In this case, PayPal's systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter."
[1]
According to a February 10 data breach notification sent to affected customers and shared with The Register , the online payment company spotted the unauthorized activity on December 12. It was due to a coding error in its PayPal Working Capital loan application that inadvertently leaked customers' business contact information - including names, Social Security numbers, dates of birth, email addresses, phone numbers, and business addresses - between July 1, 2025, and December 13, 2025.
[2]
[3]
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII," the [4]letter said [PDF].
[5]PayPal says crooks poked around 35,000 accounts in credential stuffing attack
[6]Euro banks block billions in rogue PayPal direct debits after fraud glitch
[7]Crims hit a $20M jackpot via malware-stuffed ATMs
[8]ShinyHunters demands $1.5M not to leak Vegas casino and resort chain data
As soon as it noticed the leak and fraudulent transactions, PayPal says it began an investigation and blocked the unauthorized access, resetting passwords of affected accounts and requiring customers to set a new password the next time they log in.
"A few customers experienced unauthorized transactions on their account and PayPal has issued refunds to these customers," according to the notification.
The company is also offering affected customers two years of free credit monitoring.
[9]
This data incident follows an earlier - and much worse - PayPal breach that also occurred in December, during which "unauthorized parties" accessed customers' accounts using their valid login credentials.
In that 2022 security snafu, personal info belonging to [10]35,000 PayPal users was exposed including customers' names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth. ®
Get our [11]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZjnjhdzBnmiQlgA9oJndgAAAco&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZjnjhdzBnmiQlgA9oJndgAAAco&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZjnjhdzBnmiQlgA9oJndgAAAco&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://regmedia.co.uk/2026/02/20/paypal_february_2026_breach_notification.pdf
[5] https://www.theregister.com/2023/01/19/paypal_data_breach/
[6] https://www.theregister.com/2025/08/28/euro_banks_block_paypal_direct_debits/
[7] https://www.theregister.com/2026/02/19/crims_atm_jackpotting/
[8] https://www.theregister.com/2026/02/20/shinyhunters_wynn_resorts/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZjnjhdzBnmiQlgA9oJndgAAAco&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2023/01/19/paypal_data_breach/
[11] https://whitepapers.theregister.com/
I ditched this site after they fucked something up and I tried to contact them. It was impossible to do so so I shut my account.
Enshittified wank.