HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Addi Fintech Breach Exposes 34.5 M Colombian Consumer Records

In March 2026 Addi, a Colombian fintech, suffered a breach that released 34 million consumer records—including IDs, income, and credit scores—after the ShinyHunters extortion group published the data. The incident highlights third‑party risk for firms that ingest credit‑scoring data.

LiveThreat™ Intelligence · 📅 May 19, 2026· 📰 haveibeenpwned.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
haveibeenpwned.com

Addi Fintech Breach Exposes 34.5 M Colombian Consumer Records

What Happened — In March 2026 Addi, a Colombian fintech, detected unauthorized activity on its platform. The “pay‑or‑leak” extortion group ShinyHunters claimed responsibility and published a dataset containing 34 million unique email addresses, government‑issued IDs, income levels, credit scores, and other personal details.

Why It Matters for TPRM

  • Massive exposure of personally identifiable information (PII) from a financial‑services vendor can lead to credential stuffing, identity theft, and downstream fraud against your customers.
  • The breach demonstrates the risk of third‑party data aggregation services that store sensitive credit‑related data.
  • Regulatory scrutiny in Latin America (e.g., Colombia’s data‑protection law) may result in fines and reputational damage for downstream partners.

Who Is Affected — Financial services, fintech platforms, credit bureaus, and any downstream organizations that rely on Addi’s credit‑scoring APIs or data feeds.

Recommended Actions

  • Review any contracts or data‑sharing agreements with Addi; confirm that appropriate security clauses and breach‑notification obligations are in place.
  • Validate that Addi’s security controls (encryption at rest, multi‑factor authentication, least‑privilege access) meet your organization’s TPRM standards.
  • Conduct a risk‑based assessment of any customer data you receive from Addi and consider re‑architecting workflows to minimize exposure of PII.

Technical Notes — Attack vector not publicly disclosed; likely a credential‑theft or insider‑facilitated compromise leading to bulk data exfiltration. Exfiltrated data includes email addresses, Colombian Cédula IDs, income, credit scores, device IPs, geolocation, and purchase history. Source: Have I Been Pwned – Addi breach

📰 Original Source
https://haveibeenpwned.com/Breach/ADDI

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →