Prosper, a major US-based peer-to-peer lending platform, has suffered a data breach affecting 17.6 million individuals, according to “Have I Been Pwned” (HIBP).
The incident, which was first disclosed by the company in September 2025 via a customer FAQ, involved the unauthorized extraction of sensitive personal and financial data.
The breach was acknowledged by Prosper on September 18, 2025, when the company disclosed it had detected suspicious activity within its systems earlier that month. While Prosper did confirm at the time that personal data had been accessed, the announcement did not specify the scale of the exposure. The precise scope became clear today with the dataset added to HIBP, identifying 17.6 million unique email addresses among the compromised records.
The compromised data includes a wide range of sensitive attributes:
- Full names
- Email addresses
- Physical addresses
- Dates of birth
- Government-issued IDs
- Social Security numbers
- Employment status
- Income levels
- Credit status information
- IP addresses
- Browser user-agent strings
These data points suggest that both current and prospective customers were impacted, potentially including those who applied for credit but were not approved.
Prosper operates as a peer-to-peer lending marketplace and is one of the earliest and largest platforms of its kind in the US. Since its founding in 2005, the company has facilitated billions of dollars in personal loans, positioning itself as an alternative to traditional banking for both borrowers and retail investors. The platform collects a wide array of sensitive applicant information as part of its underwriting and compliance processes, which likely contributed to the richness of the data exposed.
According to Prosper's FAQ, the breach was the result of unauthorized queries made against internal company databases, suggesting a compromise of administrative-level access or insufficient segmentation between systems. The firm claims there is no evidence that customer funds or account access were affected and maintains that customer-facing operations continued without disruption. It also states that the last signs of unauthorized activity date back to September 2, 2025.
The company has not released detailed information about the initial attack vector, the threat actor involved, or how long the attackers maintained access prior to detection. Prosper has engaged a third-party cybersecurity firm to assist in the investigation and has informed law enforcement. The firm is also offering free credit monitoring to affected individuals.
Given the breadth of data involved, those impacted by the Prosper breach face heightened risks of identity theft, targeted phishing, and fraud. The inclusion of browser and IP data may also enable profiling or geolocation-based attacks, particularly when combined with other exposed elements, so elevated vigilance is recommended.
Leave a Reply