PayPal disclosed a data breach this week — but before you spiral, here's what actually happened.

Let's get into it.

The drift: A code error in PayPal's Working Capital loan app exposed personal information (names, emails, phone numbers, SSNs, dates of birth) from July 1 to December 13, 2025. PayPal discovered it on December 12th and rolled back the change the next day.

The scope: Despite the scary headline, PayPal says roughly 100 customers were affected. This wasn't a system-wide breach — it was a bug in a specific loan application flow.

What PayPal is doing:

Why this matters to you: If you've applied for PayPal Working Capital financing, check your inbox for a breach notification. If you didn't get one, you're probably fine — but it's a good reminder to:

The bigger picture: This is PayPal's second notable breach disclosure in three years. In 2023, a credential stuffing attack hit 35,000 accounts, which led to a $2M settlement with New York State in 2025. Pattern recognition is part of vendor monitoring.

The Takeaway: Small blast radius, but another reminder that even the big players ship bugs that expose sensitive data.

Vendors change the rules constantly. Most of the time it's formatting and typos. But sometimes it's a jurisdiction shift that halves your liability protection, or a data policy change that creates a compliance gap you didn't know you had.

That's why we built StackDrift — so you catch these before they catch you.

Want the full breakdown? Sign up for early access and get severity-scored monitoring across your entire vendor stack.

Trish @ StackDrift

StackDrift · Unsubscribe