PayPal’s Working Capital loan app unintentionally let anyone with a valid API token pull Social Security numbers and tax IDs for six months, affecting thousands of small‑business borrowers. The breach was discovered in February, prompting mandatory password resets, fraud alerts, and free credit‑monitoring for affected users. You’ll want to know how it happened, what it means for your data, and how to protect yourself.
What Went Wrong: The Technical Failure
A routine code change in late 2025 left an internal API endpoint exposed to the public internet. Because the endpoint wasn’t gated, anyone who understood the API could query it and retrieve SSNs, tax IDs, and other personally identifiable information. The flaw slipped past PayPal’s broader fraud‑detection tools, staying hidden for roughly six months before a security review finally flagged it.
Immediate Impact on Borrowers
Identity Theft Risks
With Social Security numbers in hand, fraudsters can open credit lines, file false tax returns, or impersonate business owners. For small‑business owners, a compromised SSN can damage credit scores and trigger long‑lasting financial headaches.
PayPal’s Response
PayPal forced password resets for all affected accounts, issued fraud alerts, and set up a dedicated help line. The company also provided free credit‑monitoring services and pledged to roll out extra monitoring tools. All borrowers should treat this as a serious personal‑data incident and stay alert for suspicious activity.
Broader Implications for FinTech Security
The incident highlights the tension between rapid product deployment and thorough security testing. Working Capital’s high‑velocity underwriting engine is designed for speed, but the 2025 code update shows that speed can eclipse rigorous testing, especially with legacy codebases. Security experts note that proper API gateway controls and automated scanning could have caught the misconfiguration before it exposed sensitive data.
What You Should Do Now
- Monitor your credit reports regularly for unfamiliar accounts or inquiries.
- Enroll in the free credit‑monitoring service PayPal is offering.
- Watch for phishing attempts that might leverage the leaked information.
- Consider placing a fraud alert or credit freeze with major bureaus if you notice suspicious activity.
- Stay informed through PayPal’s official communications for any updates.
Looking Ahead: PayPal’s Planned Fixes
PayPal announced an overhaul of its code‑review practices, introducing continuous security testing for every product release and expanding its bug‑bounty program. While these steps aim to prevent future leaks, the company must demonstrate consistent execution to rebuild trust among small‑business borrowers who rely on swift financing.
In short, the Working Capital leak underscores how a single overlooked endpoint can snowball into a six‑month exposure. You can mitigate the fallout by staying vigilant, monitoring your credit, and taking advantage of the protections PayPal now provides. The next moves PayPal makes will determine whether it can regain confidence or remain a cautionary tale in the fintech security landscape.
