US peer-to-peer lending platform Prosper suffered a data breach that could have exposed the personal data of over 17 million customers.
The breach was revealed by Prosper in a breach notification published in September.
On October 16, Have I Been Pwned, a data breach tracking website operated by security researcher Troy Hunt, added a new entry indicating that the attack was attributed to a threat actor called Hiron and that the breach affected 17.6 million Prosper customers.
The entry noted that the exposed data included the following:
- Names
- Dates of birth
- Government issued IDs
- US Social Security numbers
- Physical addresses
- Email addresses
- IP addresses
- Employment statuses
- Credit status information
- Income levels
- Browser user agent details
Prosper’s Customer-Facing Operations Unaffected
In its September advisory, Prosper said that the data was obtained through unauthorized queries made on the company databases that store customer information and applicant data.
The company shut down the activity promptly and confirmed that the unauthorized access was revoked as of September 2.
Prosper emphasized that no operational disruptions occurred and that early investigations found no evidence of unauthorized account access or fund theft.
The firm reported the incident to US law enforcement.
“Prosper has taken additional steps to deploy enhanced security controls and safeguards and has increased and fortified monitoring and security alerting and response,” said the firm in its advisory.
Affected customers will receive free credit monitoring once the company has fully determined the scope of the customer data that has been potentially exposed.
The lending company informed customers that while any uninvested cash in their accounts remained insured by the US Federal Deposit Insurance Corporation (FDIC) and could be withdrawn at any time, invested funds, including principal and interest, would be repaid only over the term of the underlying loans.