Addi Fintech Breach Exposes 34.5 M Colombian Consumer Records
What Happened — In March 2026 Addi, a Colombian fintech, detected unauthorized activity on its platform. The “pay‑or‑leak” extortion group ShinyHunters claimed responsibility and published a dataset containing 34 million unique email addresses, government‑issued IDs, income levels, credit scores, and other personal details.
Why It Matters for TPRM —
- Massive exposure of personally identifiable information (PII) from a financial‑services vendor can lead to credential stuffing, identity theft, and downstream fraud against your customers.
- The breach demonstrates the risk of third‑party data aggregation services that store sensitive credit‑related data.
- Regulatory scrutiny in Latin America (e.g., Colombia’s data‑protection law) may result in fines and reputational damage for downstream partners.
Who Is Affected — Financial services, fintech platforms, credit bureaus, and any downstream organizations that rely on Addi’s credit‑scoring APIs or data feeds.
Recommended Actions —
- Review any contracts or data‑sharing agreements with Addi; confirm that appropriate security clauses and breach‑notification obligations are in place.
- Validate that Addi’s security controls (encryption at rest, multi‑factor authentication, least‑privilege access) meet your organization’s TPRM standards.
- Conduct a risk‑based assessment of any customer data you receive from Addi and consider re‑architecting workflows to minimize exposure of PII.
Technical Notes — Attack vector not publicly disclosed; likely a credential‑theft or insider‑facilitated compromise leading to bulk data exfiltration. Exfiltrated data includes email addresses, Colombian Cédula IDs, income, credit scores, device IPs, geolocation, and purchase history. Source: Have I Been Pwned – Addi breach