700Credit, a major fintech and data services provider serving approximately 18,000 auto, RV, powersports, and marine dealerships across the United States, disclosed a significant data breach affecting at least 5.6 million individuals. The breach, discovered in October 2025, exposed names, addresses, dates of birth, and Social Security numbers collected from dealership customers between May and October 2025. The incident originated from a compromised third-party partner's systems that were exploited to gain unauthorized API access to 700Credit's 700Dealer.com application layer.
700Credit's Managing Director Ken Hill disclosed that an unnamed integration partner's systems were compromised in July 2025, but the partner failed to notify 700Credit of the security incident. The threat actors leveraged access to the partner's communication logs with 700Credit to identify and exploit a vulnerable API endpoint designed to allow partners to pull consumer information without storing data locally.
According to Hill, the attackers conducted extensive reconnaissance, "pinging us millions and millions of times" before exploiting the unvalidated API vulnerability. The attackers maintained persistent access for approximately two weeks, extracting approximately 20% of 700Credit's customer database before the company identified and shut down the compromised API. After eviction from the system, the threat actors sent 700Credit a message that Hill characterized as "kind of spooky," suggesting deliberate, targeted operations rather than opportunistic compromises.
The breach exposed a comprehensive identity packet sufficient for sophisticated fraud operations:
Names and addresses: Enabling targeted phishing and physical fraud
Dates of birth: Supporting identity theft and account opening fraud
Social Security numbers: Facilitating direct financial account compromises, loan origination fraud, and credit fraud
The combination of these data elements creates exceptional risk for affected individuals. Attackers possess sufficient information to conduct SIM swapping, open fraudulent financial accounts, and execute comprehensive identity theft operations. Although 700Credit reports no evidence of active misuse as of the disclosure date, the sensitive nature of exposed data suggests significant fraud risk in coming months.
700Credit engaged cybersecurity experts who concluded that the breach remained limited to the application layer—specifically the compromised third-party API integration—with no penetration of 700Credit's internal network or core operational infrastructure. The company maintained continuous service delivery to dealer clients throughout the incident and investigation phases.
Notably, forensic analysis revealed that threat actors achieved approximately 80% damage without accessing internal systems, highlighting API security vulnerabilities in modern software architectures. The attackers exploited the absence of proper API request validation—specifically, 700Credit failed to verify that API requests originated from legitimate partner systems rather than adversary-controlled infrastructure.
700Credit coordinated multi-agency notification and regulatory response:
Law Enforcement: Reported the incident to the Federal Bureau of Investigation and Federal Trade Commission
Regulatory Coordination: Filed consolidated breach notification with the FTC on behalf of all affected dealer clients, satisfying Safeguards Rule reporting requirements for participating dealerships
Consumer Notification: Beginning December 22, 2025, the company commenced written notification of affected individuals, offering 12 months of complimentary credit monitoring services through TransUnion and identity restoration assistance
State Coordination: Working with the National Automobile Dealers Association (NADA) and notifying state attorneys general across the country
Support Infrastructure: Established dedicated support line (866-273-0345) for consumer and dealer inquiries
Michigan Attorney General Dana Nessel issued a consumer alert warning approximately 160,000 Michigan residents affected by the breach. Nessel emphasized that recipients should "not ignore" 700Credit notification letters and should immediately implement protective measures including credit freezes, credit monitoring, password updates, and multi-factor authentication enablement.
The Michigan AG also recommended regular credit report reviews through Equifax, Experian, and TransUnion via the Annual Credit Report website (www.annualcreditreport.com).
The 700Credit incident exposes systemic vulnerabilities in supply chain security across the automotive dealership and financial services sectors. Ken Hill acknowledged concerns regarding smaller and mid-sized dealerships lacking robust cybersecurity infrastructure. He emphasized that improved communication regarding security incidents among integration partners could have prevented the attack: "If we'd been notified because we could've shut it down."
The incident highlights the critical importance of partner security vetting, API request validation, and rapid breach notification protocols. Dealerships relying on 700Credit services should conduct comprehensive security audits of all third-party integrations and implement enhanced monitoring of API activity.
Class action law firms including Edelson Lechtzin LLP are investigating data privacy claims on behalf of affected consumers. Litigation has already commenced despite ongoing notification efforts, creating additional liability exposure for 700Credit and potentially affected dealerships facing subrogation claims.
The 700Credit incident demonstrates that even critical service providers in heavily regulated industries remain vulnerable to sophisticated supply chain attacks, underscoring the need for continuous security investment and third-party risk management across all business sectors.