Full Report
In September 2025, Prosper announced that it had detected unauthorised access to their systems, which resulted in the exposure of customer and applicant information. The data breach impacted 17.6M unique email addresses, along with other customer information, including US Social Security numbers. Prosper advised that they did not find any evidence of unauthorised access to customer accounts and funds, and that their customer-facing operations were uninterrupted. Further information about the incident is contained in Prosper's FAQs.
Analysis Summary
# Incident Report: Prosper P2P Lending Data Breach (September 2025)
## Executive Summary
In September 2025, Prosper detected unauthorized access to its systems, leading to the exposure of sensitive customer and applicant data affecting 17.6 million unique email addresses. The breach involved Personally Identifiable Information (PII) and financial indicators, though Prosper reported no evidence of unauthorized access to customer funds or operations. Response actions involved public disclosure and recommendations for user remediation, such as password changes and enabling 2FA.
## Incident Details
- **Discovery Date:** September 2025 (Date sensitive access was detected)
- **Incident Date:** September 2025 (Approximate date breach occurred/was detected)
- **Affected Organization:** Prosper (P2P Lending Platform)
- **Sector:** Financial Technology / Peer-to-Peer Lending
- **Geography:** United States (Implied by SSN exposure)
## Timeline of Events
### Initial Access
- **Date/Time:** September 2025
- **Vector:** Not explicitly detailed in the source material, but described as "unauthorised access."
- **Details:** Attackers gained access to Prosper's internal systems containing customer and applicant data.
### Lateral Movement
- **Details:** Not specified, but the scope suggests successful movement to access the relevant data stores containing PII.
### Data Exfiltration/Impact
- **Details:** Exposure of 17.6M customer/applicant records, including: Email addresses, SSNs, credit status info, DOBs, employment status, income levels, physical addresses, and IP addresses.
### Detection & Response
- **How it was discovered:** Prosper detected the unauthorized access in September 2025.
- **Response actions taken:** Prosper announced the breach, provided external FAQs, and advised users to change passwords and enable 2FA. The data was subsequently added to Have I Been Pwned on October 16, 2025.
## Attack Methodology
*Note: As a description of a third-party breach disclosure, specific attacker TTPs are not detailed. The summary below reflects the high-level outcome based on compromised data.*
- **Initial Access:** Undisclosed.
- **Persistence:** Undisclosed.
- **Privilege Escalation:** Undisclosed.
- **Defense Evasion:** Undisclosed.
- **Credential Access:** Likely involved compromise leading to access to user PII records.
- **Discovery:** Undisclosed, likely focused on local reconnaissance post-access.
- **Lateral Movement:** Successful movement to PII databases or storage.
- **Collection:** Gathering of PII, including government IDs (SSNs), financial status, and contact information.
- **Exfiltration:** Successful transfer of customer and applicant data.
- **Impact:** Unauthorized exposure of sensitive PII.
## Impact Assessment
- **Financial:** Not explicitly stated; however, costs associated with remediation and notification would apply.
- **Data Breach:** 17.6 million unique email addresses were exposed. Highly sensitive data included **US Social Security numbers (SSNs)**, income levels, credit status, and physical addresses.
- **Operational:** Prosper stated they found **no evidence of unauthorized access to customer accounts and funds**, and customer-facing operations were uninterrupted.
- **Reputational:** Moderate, due to the high volume and sensitivity (SSNs) of the exposure requiring public disclosure.
## Indicators of Compromise
*(Note: No specific IOCs were provided directly in the source material, only actions taken by the organization after confirmation.)*
- **Network indicators - defanged:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Unauthorized access to PII and customer database records.
## Response Actions
- **Containment:** Prosper detected the unauthorized access, implying immediate steps were taken to block further direct access, though the full timeline is unclear.
- **Eradication:** Not explicitly detailed, assumed to involve securing the compromised systems.
- **Recovery actions:** Public disclosure, creation of customer FAQs, and advising customers on the need to change credentials and activate 2FA.
## Lessons Learned
- The compromise highlights the critical risk associated with storing highly sensitive identifiers like SSNs alongside general customer data.
- While operational systems for fund transfers remained secure, the exposure of PII remains a significant security failure.
## Recommendations
- **Multi-Factor Authentication (MFA):** Immediate mandatory implementation or strong recommendation for all customer accounts, particularly given the exposure of PII that could facilitate credential stuffing.
- **Data Minimization:** Review data retention policies to minimize the storage duration of highly sensitive data like full SSNs, especially for applicants whose relationships may have terminated.
- **Credential Hygiene:** Advise or force users who had accounts prior to the incident to reset passwords.
- **Enhanced Monitoring:** Implement improved monitoring to detect unauthorized bulk data access patterns indicative of data exfiltration.