PayPal
Analysis of the PayPal credential-stuffing attack affecting 34,942 users with SSN exposure over a 5-month period.
Published by the Scrutex.ai Research Team | February 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
PayPal
Global digital payments platform enabling online money transfers, serving over 400 million active accounts worldwide.
Sector
Fintech / Payments
Region
United States
Date of Incident
July 1, 2025 to December 12, 2025
Date Disclosed
February 2026
Estimated Impact
34,942 users
Data Types Exposed
Names, addresses, Social Security numbers
Attack Type
Credential Stuffing
Attack Vector
Credential-stuffing attack targeting PayPal Working Capital loan application
Current Status
Under investigation. Unauthorised transactions refunded by PayPal. Affected users notified.
Severity Assessment
High despite small scale. SSN exposure through a payment platform's loan application creates significant identity theft risk. The five-month persistence period indicates detection gaps.
What Happened
PayPal disclosed in February 2026 that 34,942 users were affected by a credential-stuffing attack targeting its Working Capital loan application. The attack persisted from July 1, 2025 to December 12, 2025.
The compromised data includes names, addresses, and Social Security numbers. Some users reported unauthorised transactions, which were refunded by PayPal. SSN exposure makes this particularly severe despite the relatively small number of affected users.
Timeline
July 1, 2025
Credential-stuffing attack begins targeting PayPal Working Capital loan application
December 12, 2025
Attack detected and terminated after approximately five months
February 2026
PayPal discloses the breach and begins notifying affected users
Impact and Risk Assessment
For Affected Individuals
34,942 users had their SSNs exposed through the Working Capital loan application, creating long-term identity theft risk.
Some users experienced unauthorised transactions, which PayPal has refunded.
The five-month window of access means affected users' data may have been exploited for an extended period before detection.
For Organisations
PayPal faces reputational impact and potential regulatory scrutiny over the five-month detection gap for an attack on a financial product application.
Regulatory Context
Financial services regulators and state attorneys general may investigate the adequacy of PayPal's monitoring and detection capabilities for its lending products.
SSN exposure triggers the most stringent notification requirements under US state breach notification laws.
What Should You Do?
If You Are a Potentially Affected Individual
If you are notified by PayPal, place a fraud alert or credit freeze with the three major credit bureaus immediately given the SSN exposure.
Monitor your credit reports and financial accounts for signs of identity theft.
Review your PayPal account for any unauthorised activity and report suspicious transactions.
If You Are a Security or Risk Professional
Implement rate limiting, CAPTCHA, and anomaly detection on all authentication endpoints, particularly those protecting sensitive financial applications.
Credential-stuffing detection should be continuous, not periodic. A five-month persistence window is unacceptable for a financial services platform.
Learnings and Recommendations
Access persisted for over 5 months before detection, highlighting the need for continuous monitoring and anomaly detection on authentication endpoints.
Credential-stuffing attacks exploit password reuse. Organisations should implement rate limiting, CAPTCHA, and anomaly detection to identify and block automated login attempts.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.