PayPal's recently acquired payment processor TIO Networks says that the data of up to 1.6 million customers was stolen in a recent data breach.
TIO Networks was acquired by PayPal in July in a deal put at US$238 million.
A statement from PayPal said its own platform was not affected by the breach.
Operations at TIO were suspended on 10 November as part of an ongoing investigation of security vulnerabilities on the platform.
{loadposition sam08}A TIO statement said: "The ongoing investigation has uncovered evidence of unauthorised access to TIO’s network, including locations that stored personal information of some of TIO’s customers and customers of TIO billers.
"TIO has begun working with the companies it services to notify potentially affected individuals.
"We are working with a consumer credit reporting agency to provide free credit monitoring memberships. Individuals who are affected will be contacted directly and receive instructions to sign up for monitoring.
"We greatly appreciate the support of our billing partners, retailers, agents and consumers during this time. We will continue to communicate important updates to customers."