The Companies That Process Your Loan Applications Lost 20 Million SSNs—Here's How It Actually Happened

Two Breaches, Twenty Million People

Prosper Marketplace is a San Francisco-based peer-to-peer lending platform. On September 1, 2025, the company discovered that unauthorized actors had been accessing its systems since June 2025—three full months of undetected access. The attackers exfiltrated data on approximately 17.6 million customers and loan applicants, including names, Social Security numbers, dates of birth, bank account numbers, driver's license numbers, passport numbers, tax information, payment card numbers, and in some cases marriage and birth certificates.

700Credit is less visible but more embedded in daily financial life. It provides credit reporting, identity verification, and fraud detection services to more than 23,000 automotive, RV, powersports, and marine dealers across the United States. When you walk into a car dealership and they run your credit, there's a reasonable chance 700Credit is handling the transaction. The company disclosed in late 2025 that a breach had exposed the names, addresses, dates of birth, and Social Security numbers of 5.8 million individuals.

Together, these two disclosures represent a combined exposure of nearly 20 million Americans' most sensitive financial identifiers—arriving within weeks of each other in late 2025.

The Supply Chain Attack That Made 700Credit Possible

The Prosper breach appears to be a direct compromise of Prosper's own systems. The 700Credit breach is structurally different—and more instructive.

According to 700Credit's disclosure, the breach did not begin with 700Credit itself. A threat actor compromised one of 700Credit's third-party integration partners in July 2025. During that intrusion, the attacker discovered an exposed API connected to 700Credit's systems. The API hadn't been properly secured—it could be accessed without proper authorization, and it could be used to retrieve customer data tied to 700Credit's dealership clients.

The compromised integration partner did not inform 700Credit that it had been breached. Not in July. Not in August. Not in September. 700Credit only discovered something was wrong on October 25, 2025, when it independently spotted unusual activity in its systems. By that point, the attackers had had access to the API for at least three months—and data collection had apparently begun as early as May 2025.

This is a supply chain attack: the target organization is accessed not directly, but through a trusted vendor. It's the same attack vector that made SolarWinds and MOVEit two of the most significant breaches in recent history. The attacker doesn't need to defeat 700Credit's perimeter—they only need to defeat the perimeter of any one of the vendors that has privileged API access to 700Credit's systems.

Why Third-Party Risk Is So Hard to Manage

700Credit serves 23,000 dealerships and processes credit applications for millions of consumers. To do that, it connects its systems to a complex web of integration partners, data providers, and technology vendors. Each of those connections is a potential attack surface.

For compliance officers and risk managers, the 700Credit breach illustrates the fundamental tension in third-party risk management. Organizations conduct vendor assessments—security questionnaires, SOC 2 audits, penetration test results—before authorizing vendor relationships. Those assessments are point-in-time snapshots. They tell you whether a vendor's security posture was acceptable at the moment of assessment. They do not tell you whether the vendor's systems were compromised between the last assessment and today.

GDPR, CCPA, and sector-specific regulations like GLBA (which governs financial data) all require organizations to ensure their vendors maintain appropriate data protection standards. The legal theory is that you cannot outsource responsibility for data you collect. But in practice, a business cannot continuously monitor the internal security posture of every third-party vendor in real time.

The 700Credit breach is a documented case where a third-party integration partner was compromised, the partner discovered the breach, and failed to notify its downstream partner for months. That failure is itself a regulatory and contractual matter. But it created a window during which 5.8 million consumers' SSNs were accessible to attackers—and neither 700Credit nor the affected consumers had any way to know it.

What Prosper Users Should Know

For Prosper users specifically, the scope of exposed data is unusually comprehensive. Most data breaches expose email addresses, usernames, and hashed passwords. The Prosper breach exposed Social Security numbers, bank account numbers, and in some cases passport numbers and payment card details. This is the combination of identifiers needed for full identity theft—not just credential abuse, but financial fraud, tax fraud, and identity impersonation.

Prosper is offering two years of credit monitoring through Experian to affected users. 700Credit is offering twelve months through TransUnion. Both offers are worth taking. Neither is sufficient as a standalone protection measure.

The stronger protection is a credit freeze—not credit monitoring. Monitoring alerts you after something has already happened. A freeze prevents new credit lines from being opened in your name entirely. All three bureaus (Equifax, Experian, TransUnion) offer free credit freezes that can be lifted when you need to apply for credit.

For the 5.8 million people in the 700Credit dataset—most of whom visited a car dealership in the past few years without knowing the name of the company processing their credit application—your Social Security number was accessible through an exposed API for potentially five months, held by a company you may never have heard of, through a supply chain connection you had no visibility into. That is how financial data exposure actually works in practice.