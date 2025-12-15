700Credit lost sensitive data on 5.6 million people after a third‑party API was compromised

Attackers siphoned ~20% of consumer records over two weeks, including names, addresses, DOBs, and SSNs

Victims are being notified and offered two years of credit monitoring as regulators and the FBI investigate

Credit check giant 700Credit has suffered a data breach which saw it lose sensitive data on more than 5.6 million people.

In a statement shared with the media, partners, and affected individuals, 700Credit said that in late October 2025, it suffered a third-party supply-chain attack.

The company communicates with more than 200 integration partners through APIs, and when one of the partners was compromised in July, they failed to notify 700Credit - and as a result, unnamed cybercriminals broke into that third-party’s system, and exposed an API used to pull consumer information.

A warning to customers

The “sustained velocity” attack started on October 25, 2025 and took more than two weeks, 700Credit explained.

The company managed to shut down the exposed API, but the attackers still managed to obtain roughly 20% of consumer data, which includes people’s names, addresses, dates of birth, and Social Security numbers.

While 700Credit’s internal systems, as well as login and payment information, were not compromised, the threat actors still managed to get enough data to launch highly convincing phishing attacks.

Therefore, customers and clients are urged to be wary of incoming communications, especially those claiming to come from the credit check company.

“If you get a letter from 700Credit, don’t ignore it,” said Michigan attorney general Dana Nessel. “It is important that anyone affected by this data breach takes steps as soon as possible to protect their information. A credit freeze or monitoring services can go a long way in preventing fraud, and I encourage Michiganders to use the tools available to keep their identity safe.”

The company also partnered up with the National Automobile Dealers Association (NADA), to coordinate with the Federal Trade Commission (FTC) to file a consolidated breach notice on behalf of all affected dealerships. The attack was also reported to the FBI.

Affected customers are being notified right now and will be offered two years of free credit monitoring, a free credit report, and access to a dedicated support line.

Via CBT News

