Full Report
In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised". The "pay or leak" extortion group ShinyHunters subsequently claimed responsibility and published a large trove of personal data allegedly obtained from Addi. The data included 34M unique email addresses from credit scoring requests, credit bureau records, customer identity records and email validation logs. It also contained government issued IDs (Cédula de Ciudadanía), estimated income, socioeconomic levels, purchases and other credit-related data points.
Analysis Summary
# Incident Report: Addi Fintech Data Breach
## Executive Summary
In March 2026, the Colombian fintech company Addi suffered a major data breach involving the exfiltration of 34.5 million unique records. The "ShinyHunters" extortion group claimed responsibility, leaking highly sensitive financial and personal data after an unauthorized platform intrusion. The breach significantly impacted Colombian citizens, exposing credit histories, government IDs, and socioeconomic profiles.
## Incident Details
- **Discovery Date:** March 2026
- **Incident Date:** March 2026
- **Affected Organization:** Addi
- **Sector:** Fintech / Digital Lending
- **Geography:** Colombia
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026 (Specific time not disclosed)
- **Vector:** Unauthorized platform activity (Specific entry point undisclosed)
- **Details:** Attackers gained access to internal systems housing credit scoring and customer validation logs.
### Lateral Movement
- Attackers traversed systems containing credit bureau mirrors, identity records, and transaction logs, allowing for the collection of deep financial profiles.
### Data Exfiltration/Impact
- ShinyHunters exfiltrated a dataset containing 34.5 million unique email addresses and associated PII.
- The group subsequently published the data on their "pay or leak" portal after extortion attempts.
### Detection & Response
- **Discovery:** Addi identified unauthorized activity on its platform in March 2026.
- **Response:** The company issued a public advisory to customers acknowledging the potential compromise and initiated an investigation.
## Attack Methodology
*Note: Specific technical TTPs were not fully disclosed in the public advisory.*
- **Initial Access:** Exploitation of platform vulnerabilities or compromised credentials.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Likely used to access sensitive credit bureau records and identity databases.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Mapping of databases containing credit scoring requests and email validation logs.
- **Lateral Movement:** Movement between customer-facing platform and backend financial databases.
- **Collection:** Gathering of structured data (SQL/NoSQL dumps) including IDs, income, and purchases.
- **Exfiltration:** Large-scale transfer of 34M+ records to attacker-controlled infrastructure.
- **Impact:** Data exfiltration and extortion (Double Extortion via ShinyHunters).
## Impact Assessment
- **Financial:** Potential for massive fraudulent credit applications using leaked Cédula and credit history data.
- **Data Breach:** 34.5 million unique email addresses; government-issued IDs (Cédula de Ciudadanía), estimated income, socioeconomic levels, credit scores, and purchase history.
- **Operational:** Disruption of credit scoring services during investigation and remediation.
- **Reputational:** High; loss of consumer trust in a major regional fintech leader.
## Indicators of Compromise
- **Network indicators:** None disclosed (check for egress to known ShinyHunters drop-sites).
- **File indicators:** None disclosed.
- **Behavioral indicators:** Unusual query volumes on credit scoring databases and bulk export of identity validation logs.
## Response Actions
- **Containment:** Identified and blocked unauthorized platform activity.
- **Eradication:** Not disclosed.
- **Recovery:** Notified affected customers; updated security protocols for identity validation.
## Lessons Learned
- **Key takeaways:** Centralized databases of financial and identity data are high-value targets for regional extortion groups.
- **What could have been done better:** Implementation of more rigorous egress filtering and data masking for sensitive fields like income and government IDs when not actively in use.
## Recommendations
- **Zero Trust Architecture:** Implement strict identity and access management (IAM) to ensure least-privilege access to credit bureau records.
- **Data Encryption:** Encrypt sensitive PII at rest and in transit, utilizing hmac/hashing for identifiers where possible.
- **Enhanced Monitoring:** Deploy Database Activity Monitoring (DAM) to alert on bulk data exports or unusual query patterns.
- **Multi-Factor Authentication:** Require phishing-resistant MFA for all administrative and platform access points.