When most people hear about a data breach, they picture ransomware, phishing, or a compromised server. Yet some of the most damaging exposures happen quietly from internal errors or software misconfigurations. In February 2026, PayPal disclosed that a routine code change in its PayPal Working Capital loan application unintentionally exposed customer data for more than six months. There was no system intrusion, no external attacker, just a change that behaved unexpectedly until it was detected in December 2025.

This kind of incident is not unique. Studies show that over 40% of cloud service data breaches involve misconfigurations or internal errors, affecting platforms including Stripe, Square, and QuickBooks. The PayPal exposure window ran from July 1 to December 13, 2025, and affected customers were formally notified on February 10, 2026.

What data was involved

The exposure included a mix of personal and business information: full names, email addresses, phone numbers, business addresses, dates of birth, and Social Security numbers. While each piece of data is sensitive on its own, combined they create a high-risk profile for identity theft, financial fraud, and targeted social engineering attacks. Small business owners, in particular, may be vulnerable because attackers can leverage both personal and company details to gain trust or bypass security controls.

Although the incident was not caused by external attackers, PayPal confirmed that a small number of customers did experience unauthorized transactions. Those transactions were quickly refunded, but the breach illustrates how even internal errors can lead to tangible financial impacts.

For businesses, this incident is a reminder that the value of data is not just theoretical: when personal and corporate information overlap, the consequences of exposure can cascade quickly,  from compromised accounts to broader operational and reputational risks.

What PayPal did after discovery

Once the issue came to light, PayPal acted quickly to contain the exposure. The faulty code was rolled back, unauthorized access terminated, and affected accounts were required to reset their passwords. Additional authentication controls were added to strengthen security at the next login, helping prevent further misuse of sensitive data.

To support impacted customers, PayPal is offering two years of complimentary credit monitoring and identity restoration services through Equifax, which includes identity theft insurance coverage. Affected users must enroll before July 31, 2026, to take full advantage of these protections.

Customers were also advised to proactively monitor their credit reports and consider placing fraud alerts or credit freezes with Experian and TransUnion. These measures are especially important given the mix of personal and business data involved, which could otherwise be exploited for fraudulent activity or targeted attacks.

By taking these steps, PayPal aimed not only to limit immediate risk but also to provide customers with tools to detect and respond to potential identity theft, a critical reminder that remediation after a breach is as important as prevention.

Why this matters beyond PayPal

The most important takeaway here isn’t the platform involved — it’s the nature of the failure. Incidents like this don’t originate from obvious weaknesses such as poor passwords or an exposed firewall. They emerge from internal changes that unintentionally alter access and then blend into normal operations, unnoticed for months because nothing appears broken.

These are some of the hardest issues to detect. Systems continue to function, users can do their jobs, and no alarms are triggered. From the outside, everything looks stable, while sensitive data may be quietly exposed in the background.

For businesses that rely heavily on third-party platforms to process payments, manage finances, or store customer data, this introduces a familiar and uncomfortable reality: trust often replaces visibility. Organizations assume that well-known providers are secure by default, yet incidents like this show that even mature platforms can introduce risk through routine changes.

The challenge for businesses is no longer deciding which vendors to trust — it’s understanding how much oversight is needed once that trust is granted.

Securing PayPal and similar financial platforms

For enterprises, treating financial platforms as integral parts of your security perimeter — rather than “black boxes” managed solely by the vendor:

• enable multi-factor authentication for all users, with particular attention to administrators and employees with elevated access

• use unique, strong passwords for each platform and avoid reusing credentials across systems

• regularly review user access, removing permissions that are no longer necessary or assigned to inactive accounts

• activate real-time alerts for logins, withdrawals, and account changes to catch unusual activity quickly

• audit linked bank accounts, APIs, and integrations on a consistent schedule to ensure no unintended connections exist

While no set of measures can guarantee that incidents never happen, these practices significantly reduce risk and give your team the ability to respond quickly if a problem arises. For enterprises, treating financial platforms as integral parts of your security perimeter rather than “black boxes” managed solely by the vendor is key to maintaining visibility and control.

What businesses should do next

Incidents like this reveal a gap many organizations overlook. Security controls often focus on stopping external threats, while internal changes, misconfigurations, and third-party platforms get less attention. Yet these are exactly the areas where sensitive data can quietly leak for months.

From an IT perspective, businesses should treat SaaS platforms as extensions of their own environment. That means actively monitoring user behavior, logging configuration changes, and including those tools in incident response planning. It also requires accepting that mistakes will happen — and designing controls that surface them quickly.

“At Annexus Technologies, we see time and again that security issues aren’t always caused by hackers. More often, they stem from change without oversight. Routine code updates, permission changes, and integrations can quietly create vulnerabilities if organizations aren’t watching,” says Andrew N. Griffiths, CEO of Annexus Technologies. “The PayPal incident is a reminder that proactive monitoring and disciplined change management aren’t optional — they’re essential.”

For organizations looking to strengthen visibility and control over critical platforms, Annexus Technologies offers comprehensive guidance, security reviews, and monitoring solutions.

Contact us to learn more:
✉️ sales@annexustech.ca
📞 (403) 879-4371