Data of 17.6 Million Users Stolen from P2P Lending Platform Prosper

Hackers have stolen personal data belonging to more than 17.6 million people after breaching the systems of the U.S.-based financial technology company Prosper. The compromised information includes names, home addresses, dates of birth, email addresses, Social Security numbers, identification documents, and employment-related details.

Prosper’s Role in the Lending Market

Founded in 2005, Prosper operates as a peer-to-peer (P2P) lending platform, connecting individual investors with borrowers directly — without traditional banking intermediaries. Over its two-decade history, the company has helped more than two million customers secure over $30 billion in loans.

Timeline of the Breach

The company reported discovering unauthorized access on September 2, 2025, and stated that it had contained the intrusion shortly thereafter. Initial disclosures suggested that the attackers had accessed data belonging to both investors and borrowers.
However, Prosper has not yet confirmed the full scope of the compromised information, saying the forensic investigation remains ongoing.

Prosper has notified financial regulators and is cooperating with law enforcement. In a statement, the company said:

“We have evidence that confidential and personal data, including Social Security numbers, was stolen. The access occurred through unauthorized queries to databases containing customer and loan application information. Once we precisely determine which data was affected, all impacted individuals will be offered free credit monitoring.”

Scale of the Exposure

While Prosper declined to specify the number of users affected, data breach aggregation service Have I Been Pwned (HIBP) has cataloged the incident, stating it involves records tied to 17.6 million unique email addresses.

According to HIBP, the stolen information includes:

• Email addresses and usernames
• Identification document details
• Employment information
• Credit history and income data
• Dates of birth and physical addresses
• IP addresses and browser fingerprints

These details suggest a comprehensive compromise of sensitive personal and financial data.

Company Response and Unconfirmed Reports

A Prosper spokesperson told media outlets that the company is aware of the Have I Been Pwned listing but cannot confirm or deny its accuracy while the investigation continues. The company has urged customers to remain vigilant, monitor their credit reports, and report suspicious account activity.

Analysis

If HIBP’s dataset size is accurate, the Prosper breach ranks among the largest fintech data leaks in recent years — comparable to incidents affecting major consumer lenders and credit platforms. The exposure of identity documents, income data, and Social Security numbers could enable large-scale identity theft and loan fraud if monetized on dark web marketplaces.

As Prosper works to confirm the exact scope, regulators are likely to scrutinize its data protection controls and incident response procedures, particularly given its handling of consumer credit information under U.S. financial privacy laws.