A software wiz discovered a “high-severity” bug that put users’ data at risk, but the company fixed it before anyone’s personal information could be “exposed.”

The vulnerability, which could have allowed hackers to snag PayPal users’ passwords, was disclosed this week after researcher Alex Birsan brought it to the company’s attention — scoring him a $15,300 reward and allowing the company to remedy the problem.

“While this was a potential vulnerability brought to the company through our bug bounty program, no user information was exposed,” PayPal spokeswoman Kim Eichorn said in a statement.

The bug could have allowed users to expose a “security challenge token” on PayPal’s login page to an outside hacker, the company said.

If the user entered their PayPal credentials after following a login link from a malicious site, a hacker could have completed the security challenge on their own and gotten hold of the user’s password, according to PayPal’s summary of the problem.

“With the correct timing and some user interaction, knowing all the tokens used in this request was enough to get the victim’s PayPal credentials,” Birsan wrote in a Wednesday Medium post. “In a real-life attack scenario, the only user interaction needed would have been a single visit to an attacker-controlled web page.”

Some checkout pages also used the same “vulnerable process,” Birsan added, meaning credit card data could have been exposed with the same technique. But PayPal said it found “no evidence of abuse.”

Birsan said PayPal patched the bug in mid-December, less than a month after he submitted his findings to the company on HackerOne, a platform where benevolent hackers can alert companies to security problems.