Have I Been Pwned flags Prosper data breach: 17.6M accounts exposed

NEWS

Introduction: what happened at Prosper

Prosper—one of the earliest U.S. peer-to-peer lending platforms—disclosed a cybersecurity incident identified on September 1, 2025. Subsequent reporting and regulator disclosures indicate an unauthorized party accessed systems holding proprietary and confidential information. Have I Been Pwned (HIBP) has now added the incident with 17.6 million unique email addresses and confirms exposure of additional sensitive data (including SSNs).

In brief

  • Victim: Prosper Marketplace, Inc. & Prosper Funding LLC (fintech / P2P lending).
  • When detected: Sept 1, 2025; disclosed to the SEC Sept 17, 2025.
  • Scale: 17.6M unique email addresses in HIBP.
  • Data types: Email addresses and “other customer information,” including SSNs.
  • Accounts/funds: Prosper says no evidence of unauthorized access to customer accounts or funds.
  • Status: Notifications to affected individuals in mid-September; legal investigations ongoing.

Context / history / connections

The first official breadcrumb is Prosper’s Form 8-K filed September 17, 2025, stating an unauthorized third party accessed company systems and that the investigation and remediation were underway. Law-firm advisories and PR notices followed. On October 16, 2025, BleepingComputer reported HIBP’s addition of the Prosper breach at 17.6M impacted accounts, and HIBP’s listing now mirrors those figures. Troy Hunt (HIBP’s founder) also posted the addition publicly.

Key dates

  • Sept 1, 2025: Incident detected.
  • Sept 17, 2025: SEC 8-K disclosure; notification cycle begins.
  • Oct 16, 2025: HIBP lists the breach (reported by BleepingComputer).

Technical analysis / details of the vulnerability

Prosper’s SEC filing describes unauthorized access to systems containing proprietary and confidential information, prompting response, containment, and forensic investigation. HIBP’s entry sets practical scope: 17.6M unique email addresses plus other customer data, explicitly including SSNs. Importantly, Prosper states no evidence of unauthorized access to customer accounts or funds, implying the incident targeted data stores rather than transactional rails. Exact intrusion vector (e.g., credential compromise, vendor exposure, or on-prem/cloud misconfiguration) has not been publicly detailed.

Compromised data (as publicly stated)

  • Email addresses (17.6M unique)
  • “Other customer information,” including SSNs
  • (No indication of passwords or direct bank account access in public disclosures to date)

Practical consequences / risks

For affected borrowers, investors, and applicants, the presence of SSNs elevates risk from simple phishing to account takeover, synthetic identity fraud, tax refund fraud, and new-account fraud. Even without passwords in scope, large email datasets paired with PII enable highly convincing spear-phishing and credential-stuffing attempts against other services. Prosper’s statement that funds and account access weren’t impacted reduces immediate transactional risk but does not mitigate long-tail identity abuse risks.

Operational recommendations / what to do next

For individuals (U.S.)

  1. Place a credit freeze with Equifax, Experian, and TransUnion (free in the U.S.).
  2. Add a fraud alert and consider a credit lock/monitoring service.
  3. File IRS IP PIN (Identity Protection PIN) before tax season to blunt refund fraud.
  4. Monitor Prosper notices and consider enrolling in any offered identity protection.
  5. Harden your broader account security: enable MFA everywhere, rotate reused passwords, and audit password managers for unique, strong creds.
  6. Phishing hygiene: Treat Prosper-branded emails/SMS with caution; navigate directly to official sites, not via links.

For enterprises (fintech & lenders)

  • Third-party risk: inventory data flows, ensure least-privilege access to data lakes, and require strong auth + continuous monitoring for partners.
  • Detect & respond: enrich SIEM with SSN/PII access telemetry, flag anomalous bulk reads/downloads.
  • Data minimization & tokenization: reduce SSN footprint; tokenize where retention is mandated.
  • Breach-ready governance: pre-approved regulator and customer comms runbooks, SEC 8-K playbooks, and table-top exercises focused on PII exfiltration scenarios.

(Where guidance references the specific publicly known facts about SSNs and system access.)

Differences / comparisons with other cases

In raw email count (17.6M), Prosper is smaller than “Collection #1” scale incidents but more severe per-record because of SSN exposure, which materially increases identity-fraud risk versus breaches limited to contact info.

Summary / key takeaways

  • Scope: 17.6M unique emails; SSNs included among exposed data.
  • Systems, not funds: Prosper reports no evidence of account/funds access.
  • Risk profile: Long-tail identity fraud risk is significant; credit freezes and IRS IP PINs are prudent.
  • Unanswered: Root cause and intrusion vector remain undisclosed publicly.

Sources / bibliography

  1. SEC 8-K (Prosper Marketplace / Prosper Funding), Sept 17, 2025. (SEC)
  2. Have I Been Pwned – Prosper breach entry. (Have I Been Pwned)
  3. BleepingComputer — HIBP: Prosper data breach impacts 17.6M accounts (Oct 16, 2025). (BleepingComputer)
  4. Troy Hunt (X) — HIBP addition announcement. (X (formerly Twitter))
  5. PR Newswire (law-firm notice summarizing SEC disclosure & SSN impact). (PR Newswire)

Related Posts