The Exposed Number

In mid-2025 a code change in PayPal Working Capital caused an application-layer exposure that left roughly 100 small-business customers' PII — including Social Security numbers, dates of birth, names, addresses, and emails — accessible to unauthorized parties for 165 days; PayPal remediated the issue in December 2025, confirmed some fraudulent transactions, and notified affected customers in February 2026. The report frames the event as a systemic failure driven by reliance on SSNs, delayed detection and disclosure, and insufficient change-management and monitoring, and recommends technical controls (field-level encryption, DLP, least privilege, peer review) and policy reforms to reduce SSN collection and long-term identity risk.