Attackers accessed consumer records after compromising an external integration used by the credit reporting firm.
Credit reporting company 700Credit disclosed that a third-party API integration was compromised, leading to the exposure of sensitive consumer data tied to more than 5.6 million individuals. According to reporting by TechRadar, attackers accessed the exposed API over a period of roughly two weeks starting in late October 2025 and extracted about 20% of available consumer records. The data included names, addresses, dates of birth, and Social Security numbers. 700Credit said its internal systems, payment platforms, and login credentials were not accessed, and that the affected API has since been disabled.
700Credit works with hundreds of partners through API connections that allow consumer credit information to be exchanged for automotive and financial services. In this incident, a partner system was compromised months earlier and failed to notify 700Credit, leaving the exposed interface available for exploitation. The company stated that the activity demonstrated sustained access, rather than a single intrusion attempt, enabling attackers to collect large volumes of personal data over time. Although no account credentials were compromised, the nature of the exposed information poses a risk of targeted phishing, identity theft, and subsequent fraud. Law enforcement and regulators have been notified, and affected individuals are receiving breach notices.
700Credit said it shut down the affected integration after identifying the activity and is coordinating with investigators. The company advised individuals to remain alert for unexpected communications claiming to come from 700Credit or its partners. Michigan Attorney General Dana Nessel urged affected residents to review breach notices carefully and consider protective steps such as credit freezes or monitoring. She said early action can reduce the risk of fraud when Social Security numbers and core identity data are exposed.
According to Paubox report data, many organizations “are unaware of every third-party vendor touching their data,” which allows risk to remain “invisible until a breach occurs.” In environments built around APIs and external integrations, that blind spot can persist for months, as seen in the 700Credit incident where a partner system was compromised long before the exposure was detected.
Paubox also notes that large organizations now operate with “hundreds of applications and sprawling third-party ecosystems,” increasing the likelihood of misconfigurations and inconsistent security enforcement. As data flows extend beyond a single perimeter, breaches are less about a single failure and more about losing visibility into who has access, how long that access persists, and whether partners are meeting notification and security expectations.
Activity may occur outside the primary organization’s monitoring tools, especially when access is routed through trusted partner connections.
They can be used for identity theft, fraudulent credit applications, tax fraud, and highly targeted phishing attempts.
It lowers the risk of immediate account takeover, but exposed identity data can still support fraud and social engineering.