It has been reported that an error in coding of a PayPal app left some customers’ data exposed and even resulted in a few fraudulent transactions, the e-commerce company has confirmed.
PayPal recently notified a subset of its customers that it had identified a bug in its PayPal Working Capital (PPWC) loan application, a business financing product that gives eligible businesses a cash advance based on their PayPal sales history.
Discovered on December 12, 2025, the bug leaked sensitive data for more than five months, from July 1, 2025, to December 13, 2025, including usernames, email addresses, phone numbers, business addresses, Social Security numbers (SSN), and dates of birth.
Commenting on this, Simon Pamplin, CTO of Certes, said: “This incident highlights a recurring issue in cybersecurity: breaches are not always the result of sophisticated external attacks, but of small internal failures that expose highly sensitive data for extended periods of time.
What is particularly concerning here is the duration. Five months is a significant window in which personal and financial identifiers including Social Security numbers and dates of birth may have been accessible. Once that data is copied, the risk does not disappear when the bug is fixed or passwords are reset. It persists.
The immediate concern is fraud and phishing, which we are already seeing in the form of unauthorised transactions. But the longer-term risk is often overlooked. Criminal groups increasingly operate on a harvest now, decrypt later model, quietly collecting encrypted or protected data today with the expectation that advances in computing power, including quantum capability, will allow them to unlock it in the future.
Financial and identity data is long life by nature. Social Security numbers and dates of birth do not expire. If that information is stored or transmitted in ways that could become readable later, organisations are effectively placing a countdown timer on their own data.
Too many responses to breaches still focus on containment, reimbursement and credit monitoring. Those steps are important, but they do not address the strategic question: if attackers were inside for months, what data was readable, usable and exfiltrated during that time?
As quantum computing moves closer from theoretical to practical reality, the emphasis must shift from preventing every breach to ensuring that, even if data is harvested, it is rendered permanently unusable. The organisations that adapt to that reality now will be far better positioned than those still relying solely on perimeter controls and post incident remediation”.
Leave a Comment