Credit reporting breach exposes 5.6 millions consumers through third party API

Millions of consumer records were accessed during a prolonged API breach, raising serious concerns about identity theft, phishing risks and third-party security oversight within the credit industry.
A supply chain cyberattack exposed personal data of over 5.6 million consumers after attackers exploited a compromised third-party API integration used by a US credit reporting firm.

US credit reporting company 700Credit has confirmed a data breach affecting more than 5.6 million individuals after attackers exploited a compromised third-party API used to exchange consumer data with external integration partners.

An incident that originated from a supply chain failure after one partner was breached earlier in 2025 and failed to notify 700Credit.

The attackers launched a sustained, high-volume data extraction campaign starting on October 25, 2025, which operated for more than two weeks before access was shut down.

Around 20 percent of consumer records were accessed, exposing names, home addresses, dates of birth and Social Security numbers, while internal systems, payment platforms and login credentials were not compromised.

Despite the absence of financial system access, the exposed personal data significantly increases the risk of identity theft and sophisticated phishing attacks impersonating credit reporting services.

The breach has been reported to the Federal Trade Commission and the FBI, with regulators coordinating responses through industry bodies representing affected dealerships.

Individuals impacted by the incident are currently being notified and offered two years of free credit monitoring, complimentary credit reports and access to a dedicated support line.

Authorities have urged recipients to act promptly by monitoring their credit activity and taking protective measures to minimise the risk of fraud.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!