Credential Stuffing Fintech / Payments · United States · February 2026

PayPal

Analysis of the PayPal credential-stuffing attack affecting 34,942 users with SSN exposure over a 5-month period.

Records Affected

34,942 users

Attack Type

Credential Stuffing

Location

United States

Data types exposed

Names addresses Social Security numbers

What Happened

PayPal disclosed in February 2026 that 34,942 users were affected by a credential-stuffing attack targeting its Working Capital loan application. The attack persisted from July 1, 2025 to December 12, 2025.
The compromised data includes names, addresses, and Social Security numbers. Some users reported unauthorised transactions, which were refunded by PayPal. SSN exposure makes this particularly severe despite the relatively small number of affected users.

Timeline

  • July 1, 2025 — Credential-stuffing attack begins targeting PayPal Working Capital loan application
  • December 12, 2025 — Attack detected and terminated after approximately five months
  • February 2026 — PayPal discloses the breach and begins notifying affected users

Impact and Risk Assessment

For Individuals

34,942 users had their SSNs exposed through the Working Capital loan application, creating long-term identity theft risk.
Some users experienced unauthorised transactions, which PayPal has refunded.
The five-month window of access means affected users' data may have been exploited for an extended period before detection.

For Organisations

PayPal faces reputational impact and potential regulatory scrutiny over the five-month detection gap for an attack on a financial product application.

Regulatory Context

Financial services regulators and state attorneys general may investigate the adequacy of PayPal's monitoring and detection capabilities for its lending products.
SSN exposure triggers the most stringent notification requirements under US state breach notification laws.

What Should You Do?

For Individuals

  • If you are notified by PayPal, place a fraud alert or credit freeze with the three major credit bureaus immediately given the SSN exposure.
  • Monitor your credit reports and financial accounts for signs of identity theft.
  • Review your PayPal account for any unauthorised activity and report suspicious transactions.

For Security Professionals

  • Implement rate limiting, CAPTCHA, and anomaly detection on all authentication endpoints, particularly those protecting sensitive financial applications.
  • Credential-stuffing detection should be continuous, not periodic. A five-month persistence window is unacceptable for a financial services platform.

Learnings and Recommendations

Access persisted for over 5 months before detection, highlighting the need for continuous monitoring and anomaly detection on authentication endpoints.
Credential-stuffing attacks exploit password reuse. Organisations should implement rate limiting, CAPTCHA, and anomaly detection to identify and block automated login attempts.
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories