PayPal Coding Bug Exposed Business Accounts to Unauthorized Access

February 23, 2026FinTech News
PayPal Coding Bug Exposed Business Accounts to Unauthorized Access

A coding bug in PayPal’s business account platform allowed some users to view limited data from other business accounts before a fix was deployed and users notified.

PayPal, one of the world’s leading digital payment platforms, has disclosed a coding bug in its systems that resulted in unauthorised access to some business accounts, raising serious concerns about platform security and protections for merchants. The flaw — introduced in a recent software update — inadvertently permitted certain authenticated users to view limited information belonging to other business accounts when navigating menus. While PayPal says there is no evidence of fraudulent transactions, the incident exposed sensitive data such as partial transaction histories, balances and account metadata for affected business users.

The company has since identified and patched the bug, notified impacted merchants, and implemented additional safeguards to prevent future occurrences. However, the episode is a stark reminder of the risks associated with software regressions in large-scale financial platforms, where even minor coding errors can lead to data exposure across millions of accounts. With PayPal’s ecosystem deeply embedded in e-commerce and digital services worldwide, the breach has sparked broader discussions about secure software development practices, code review frameworks, and risk management in fintech environments.

Key Highlights

  • Coding bug disclosed: PayPal confirmed a software error allowed certain authenticated users to access data from other business accounts.
  • Scope of exposure: Limited business account information such as balances, recent transactions and account metadata were viewable.
  • No fraudulent activity detected: PayPal reports no confirmed misuse, transfers or unauthorised transactions tied to the bug.
  • Root cause: A coding update introduced a logic flaw that bypassed proper access control checks between sessions.
  • Fix deployed: PayPal has patched the issue and initiated remedial actions.
  • User notification: Affected business users have been notified and advised on mitigation steps.

What Happened and Why It Matters

The Coding Bug Explained

According to PayPal’s internal post-mortem shared with stakeholders, a recent update to its business account portal contained a logic flaw in routing and session management. Under certain conditions — typically involving navigation between account menus and API endpoints — the system failed to verify that a requesting user was entitled to view data associated with a specific account ID. This made it possible for logged-in business users to inadvertently access views of other businesses’ account information.

While the exposed data did not include full Personal Identifiable Information (PII), passwords or financial instruments such as full credit card or bank details, the access to transactional metadata and balances constituted a data privacy breach with potential commercial sensitivity.

PayPal’s Response and Remediation

Upon detecting unusual routing conditions, PayPal’s security engineering teams:

  1. Isolated and neutralised the bug within hours of detection.
  2. Deployed patches across services to ensure proper access checks.
  3. Conducted an audit of other recent code changes to preempt similar issues.
  4. Notified affected business users of the incident and its impact.
  5. Expanded internal monitoring and code review practices.

PayPal also stated it is working with third-party security auditors to reinforce its development lifecycle and improve penetration testing before deployment.

Data Exposed — What Was and Wasn’t Accessed

Exposed (for some business users):

  • Partial account balances
  • Limited transaction metadata (dates, amounts, merchant process status)
  • Some account configuration fields

Not exposed:

  • Full account passwords or authentication tokens
  • Full bank account or debit/credit card details
  • Sensitive personal identifiers (SSN, tax IDs)

This distinction mitigates some of the risks but does not eliminate the reputational or compliance impact for PayPal and affected merchants.

Why This Is Significant for Merchants and Fintech

1. Trust and Security Expectations

Merchants rely on PayPal to safeguard not just funds but also the business insights and transaction history that inform financial planning. Data exposure — even without theft — undermines trust and emphasises the need for resilient access controls.

2. Software Quality and Risk Management

The incident highlights the importance of rigorous security testing, role-based access control checks and code review governance in fintech platforms where software changes can have material impacts on customer data.

3. Regulatory and Compliance Considerations

Depending on the geography of affected users, this type of data exposure may trigger mandatory breach notifications under regimes such as the EU’s GDPR, UK DPA 2018, or data protection laws in various states across the U.S. — exposing PayPal to potential scrutiny from privacy regulators.

Market and Industry Reaction

Industry commentators have noted that even large, mature platforms can be prone to regression bugs that only surface in edge cases or under atypical navigation flows. Many fintechs now reinforce their dev life cycles with automated verification, zero-trust access policies and dedicated secure coding frameworks to guard against similar exposure.

Security professionals also emphasise that data visibility bugs — even without financial loss — are serious because they can enable social engineering, competitive insights leakage or exploitation in combinatorial attacks.