Data breach tracker HaveIBeenPwned claims the victim count of peer-to-peer lender Prosper’s September cyberattack stands at 17.6 million.

In the first breakdown of affected data since Prosper disclosed the attack last month, HIBP alleges that email addresses – as expected – were affected, as well as a slew of other personal information. This included:

• Browser user agent details
• Credit status information
• Dates of birth
• Employment statuses
• Government-issued IDs
• Income levels
• IP addresses
• Names
• Physical addresses

Customer accounts and funds are believed to be safe, and there was no impact to the platform’s customer-facing operations.

To date, Prosper has only confirmed that “confidential, proprietary, and personal information, including Social Security numbers,” was affected, and it is yet to confirm the scale.

The Register approached the company for a response to the post on HIBP, which is owned by security veteran Troy Hunt.

A spokesperson said: “We’re aware of the statement by Mr Hunt but we are not able to validate his claim. The investigation to determine what data was affected and to whom it belongs remains ongoing.”

Per the San Francisco-based lending platform’s FAQ page dedicated to the attack, it said it believes the unauthorized access to its systems was contained as of September 2, but did not say when the intrusion first began.

That may be due to the fact that its investigation is in the early stages and it must have a deluge of data to work through and verify. It is typical for incident response investigations to take weeks or months.

“The investigation is still in its very early stages, but resolving this incident is our top priority and we are committed to sharing additional information with our customers as appropriate,” Prosper wrote.

“We immediately launched our incident response efforts as soon as we learned of this unauthorized access. We have been working diligently since discovering this incident to comprehensively contain it, prevent it from impacting our customers and systems, identify the compromised data, and appropriately provide information to those whose information was impacted. We’ve prioritized providing accurate information.”

As is customary in cases of data theft in the US, Prosper confirmed it will be offering affected individuals free credit monitoring services once it finalizes the data and the exact number of affected individuals.

In the meantime, it said it was committed to fully complying with law enforcement investigations, and despite already having a “variety of measures and technologies to prevent these types of incidents,” it vowed to improve its security controls.

Founded in 2005, Prosper claims to have helped 2 million people access more than $28 billion in personal loans, $1 billion in extended credit, and more than $500 million in home equity loans and lines of credit. It also offers a broader range of financial products.

If the 17.6 million figure is correct, it would make Prosper’s breach among the most significant and far-reaching of the year so far, although it doesn’t quite crack the rankings for the biggest of all time.

At the bottom end of this scale there are the attacks on Home Depot and JPMorgan Chase, which stand at 56 million and 83 million respectively.

At the very top end are the likes of Yahoo (3 billion), National Public Data (initially reported 2.9 billion but later rebuffed, albeit with some added speculation), and River City Media (1.4 billion).

If you want to count the so-called “mother of all breaches,” that stands at a reported 26 billion. However, this was an amalgamation of nearly 4,000 individual data attacks so it’s not quite a fair comparison, despite garnering a ton of attention after it was leaked in January 2024. ®