Full Report
On September 1, 2025, Prosper discovered unauthorized activity on our systems. We acted quickly to stop the activity and enhance our security measures, and we began working with a leading cybersecurity firm to investigate what happened. We also reported the incident to law enforcement and offered our full cooperation. However, we did identify evidence that between June and August 2025, data containing personal information was obtained through queries on company databases that store customer and applicant data. There was no evidence of unauthorized access to customer accounts and funds, and our customer-facing operations continue uninterrupted. Additionally, we continuously monitor accounts, which have strong safeguards in place to protect your fund. However, we did identify evidence that data containing personal information was obtained through queries on company databases that store customer and applicant data.
Analysis Summary
# Incident Report: Unauthorized Data Access at Prosper (June - September 2025)
## Executive Summary
On September 1, 2025, Prosper discovered unauthorized activity within its systems. Subsequent investigation revealed that between June and August 2025, an attacker successfully queried company databases containing customer and applicant personal information, leading to a data exfiltration event. Prosper contained the immediate threat, engaged external cybersecurity experts and law enforcement, and is offering affected individuals credit monitoring services. Crucially, there was no evidence of unauthorized access to customer accounts or funds.
## Incident Details
- **Discovery Date:** September 1, 2025
- **Incident Period (Data Exfiltration):** Between June 2025 and August 2025
- **Affected Organization:** Prosper Marketplace, Inc. ("Prosper")
- **Sector:** Financial Technology (Fintech/Lending)
- **Geography:** Not explicitly stated, assumed USA based on communication methods (U.S. Postal Service).
## Timeline of Events
### Initial Access
- **Date/Time:** Sometime before or during June 2025 (Attribution starts in June)
- **Vector:** Unknown/Unspecified. The attacker gained the ability to execute database queries.
- **Details:** The activity spanned several months, suggesting established access or repeated access between June and August 2025.
### Lateral Movement
- **Details:** Not explicitly documented, but necessary access to company databases storing customer and applicant data was achieved. (Implied movement to data stores).
### Data Exfiltration/Impact
- **Date/Time:** Between June 2025 and August 2025
- **Vector:** Unauthorized database queries.
- **Details:** Personal information was obtained through repeated queries on company databases storing customer and applicant data. Analysis concluded on November 26, 2025, confirmed the data involved highly sensitive PII. Immediate customer-facing operations remained uninterrupted.
### Detection & Response
- **Detection Date:** September 1, 2025 (Unauthorized activity discovered).
- **Response Actions:**
- The immediate unauthorized activity was stopped.
- Security measures were enhanced.
- A leading cybersecurity firm was engaged for investigation.
- Law enforcement was notified, and cooperation offered.
- Individual notification letters began mailing on December 9, 2025.
- Two years of complimentary credit monitoring (via Experian) offered to impacted individuals.
## Attack Methodology
*Note: Specific technical details of the attack progression are not provided in the source material. The following reflects known stages based on the outcome.*
- **Initial Access:** Unknown. Hypothesis suggests vulnerability exploitation or credential compromise leading to system access.
- **Persistence:** Unknown, but necessary to maintain access throughout the June–August timeframe.
- **Privilege Escalation:** Unknown, but access to sensitive customer/applicant databases suggests elevated query privileges were somehow obtained.
- **Defense Evasion:** Unknown. The activity went undetected for potentially several months (June through August).
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Implied movement from initial access point to the specific production databases holding customer/applicant PII.
- **Collection:** Unauthorized querying and aggregation of PII from key databases.
- **Exfiltration:** Data was successfully exfiltrated/obtained between June and August 2025.
- **Impact:** Unauthorized acquisition of sensitive personal identifying information.
## Impact Assessment
- **Financial:** Specific costs not disclosed, but significant response costs incurred (cyber firm engagement, identity protection services, notification costs).
- **Data Breach:** Personal information obtained, including: Name, Social Security Number/National ID Number, Date of Birth, Bank Account Number, Prosper Account Number, Driver’s License Number, Marriage or Birth Certificate details, Passport Number, Tax Information, Payment Card Number, and other financial/credit application information.
- **Operational:** No evidence of unauthorized access to customer accounts and funds. Customer-facing operations continued uninterrupted.
- **Reputational:** Public disclosure required, requiring mailing notifications and establishing a public reporting website (launched September 17, 2025).
## Indicators of Compromise
*No specific technical IOCs (IP addresses, hashes, domains) were present in the provided text.*
- **Behavioral indicators:** Sustained, unauthorized database querying activity targeting customer and applicant data stores over a multi-month period (June–August 2025).
## Response Actions
- **Containment measures:** Unauthorized activity was stopped immediately upon discovery on September 1, 2025.
- **Eradication steps:** External cybersecurity firm engaged to investigate and presumably assist in removing persistent threat elements.
- **Recovery actions:** Implementation of enhanced security and monitoring controls. Offering identity protection services to affected users.
## Lessons Learned
- **Key takeaways:** The existing security monitoring failed to detect database querying activity over a three-month period (June–August). Access controls allowed unauthorized querying of highly sensitive PII databases.
- **What could have been done better:** Proactive, enhanced database activity monitoring (e.g., Data Loss Prevention or Database Activity Monitoring) could have detected the data aggregation earlier than the September 1st discovery date.
## Recommendations
- Implement granular, least-privilege access controls specifically for database query execution.
- Deploy or enhance Database Activity Monitoring (DAM) solutions to detect anomalous or bulk data extraction activity in real-time.
- Conduct immediate, comprehensive review of past three months of database logs to confirm the full scope and timeline of data access, as the formal analysis concluded November 26, 2025.