Prosper Marketplace 17.6M Loan Applicants' Financial Data Exposed in Three-Month Breach

• .What: Cloud misconfiguration allowed unauthorized database queries for three months.
• .Who: 17.6 million loan applicants on Prosper's lending platform.
• .Data Exposed: SSNs, bank accounts, passports, tax records, and credit applications.
• .Outcome: Multiple class actions filed; notifications delayed over three months.

Between June and August 2025, unauthorized actors exploited a cloud misconfiguration in Prosper Marketplace's infrastructure - a misconfigured access control policy on the company's cloud-hosted database environment - combined with compromised service account credentials to run unauthorized queries against production databases for three consecutive months.

Prosper Marketplace operates one of the largest peer-to-peer lending platforms in the United States, originating over $23 billion in consumer loans since inception.

The compromised databases contained the full financial identity of every loan applicant who had ever applied through the platform.

The breach went undetected from June through August 2025. During that period, the attackers executed database queries that extracted records for 17.6 million unique individuals.

The exposed data included Social Security numbers, bank account and payment card numbers, passport numbers, driver's license numbers, marriage and birth certificates, tax returns, W-2 forms, and detailed credit application data including income, employment history, debt-to-income ratios, and credit scores.

This represents the most comprehensive financial identity dataset a lending platform can hold - every piece of information needed to apply for credit, open accounts, and file fraudulent tax returns in the victim's name.

Prosper discovered the breach in late August 2025 but did not begin notifying affected individuals until more than three months later. The SEC disclosure acknowledged the breach timeline but provided limited detail on the root cause or remediation steps.

Multiple class action lawsuits were filed in federal court, alleging that Prosper failed to implement adequate security measures for the volume and sensitivity of data it collected, and that the notification delay deprived affected individuals of the ability to take timely protective action.

Three months of undetected unauthorized database access against a platform holding the complete financial identity of 17.6 million Americans is a failure of every detection control that should exist between an attacker and a production database.

The attackers did not deploy ransomware. They did not encrypt systems. They did not make noise. They ran queries - the same type of operations that legitimate services perform - and nobody noticed for 90 days. The dwell time alone disqualifies any claim of adequate security.

The first control that would have prevented this breach is proper cloud identity and access management with the principle of least privilege enforced on all service accounts. The attack combined a cloud misconfiguration with compromised service account credentials.

Service accounts in cloud environments should be scoped to the minimum permissions required for their specific function, should rotate credentials automatically on a defined schedule, and should be monitored for anomalous usage patterns.

A service account that suddenly begins executing novel query patterns against databases it has never previously accessed should trigger an immediate alert.

The fact that compromised credentials provided access to production databases containing 17.6 million SSNs indicates that the service account either had excessive permissions or that no privilege boundaries existed between application tiers and the underlying data stores.

The second control is database activity monitoring configured to detect and alert on anomalous query patterns. The attackers ran unauthorized queries for three months.

Database activity monitoring solutions - products from Imperva, IBM Guardium, or native cloud provider tools like AWS Macie and GCP Cloud DLP - record every query executed against a monitored database, baseline normal query patterns, and flag deviations in real time.

A query extracting 17.6 million records, or a series of queries executed from an unfamiliar source over an extended period, would have been flagged within hours of the first unauthorized access.

Three months of undetected queries means either no database monitoring was deployed or the monitoring was not configured to alert on the access patterns that mattered.

The third control is cloud security posture management that continuously scans for misconfigurations in access control policies, network exposure, and identity permissions.

The cloud misconfiguration that enabled initial access is a category of vulnerability that CSPM tools are specifically designed to detect.

Products from Wiz, Orca, Palo Alto Prisma Cloud, and others continuously evaluate cloud configurations against security benchmarks and alert on deviations.

A misconfigured access policy on a database containing SSNs for 17.6 million individuals should have been the highest-priority finding in any CSPM scan.

The misconfiguration existed long enough to be discovered and exploited by an external attacker - meaning it was either never scanned for or the finding was ignored.

The fourth control is timely breach notification. Prosper delayed customer notifications by more than three months after discovery.

During that delay, 17.6 million individuals were unable to freeze their credit, monitor their accounts, or take any protective action against the most comprehensive category of financial identity theft. Under the CCPA, California residents have a right to timely notification.

Under SEC disclosure rules, material cybersecurity incidents require 8-K filing within four business days. Under Gramm-Leach-Bliley, financial institutions must maintain safeguards for customer financial information.

The notification delay compounds every other failure in this chain.

SEC Disclosure, Class Action Filings, Prosper Marketplace Customer Notifications