Colombian fintech company Addi suffered a breach in March 2026 affecting over 34 million accounts, exposing financial, identity, and credit-related personal data after the ShinyHunters group claimed responsibility and published the stolen data.
What happened
According to HIBP, Addi — a Colombian buy-now-pay-later fintech — detected unauthorized activity on its platform in March 2026. The company notified customers that their personal information may have been compromised.
The extortion group ShinyHunters subsequently claimed responsibility for the attack, as reported by HIBP. The group published a large trove of data allegedly taken from Addi's systems, including records from credit scoring requests, credit bureau files, customer identity records, and email validation logs.
What was exposed
According to HIBP, the exposed data includes email addresses, names, phone numbers, physical addresses, government-issued IDs (Cédula de Ciudadanía), credit scores, estimated income levels, socioeconomic classifications, purchase history, device information, IP addresses, and precise location data (latitude and longitude pairs).
Who is affected
Approximately 34.5 million unique accounts are reported to be affected, according to HIBP. Those impacted are primarily individuals who submitted credit applications or used Addi's buy-now-pay-later services in Colombia.
What to do now
If you have used Addi's services, monitor your financial accounts and credit reports closely for any suspicious activity. Be alert to phishing attempts, as attackers may use your name, email, and phone number to craft convincing scams. Consider placing a fraud alert with credit bureaus if your government-issued ID was exposed. Change your Addi password and any reused passwords on other services immediately.