Data Breach

Addi Data Breach March 2026 - What Was Exposed and What To Do

34,532,941 records exposed

The Addi data breach exposed 34,532,941 records including Age groups, Credit scores, Device information, Email addresses, Government issued IDs, Income levels, IP addresses, Latitude and longitude pairs, Names, Phone numbers, Physical addresses, Purchases, Socioeconomic levels. This breach has been verified by HaveIBeenPwned. Affected users should check HaveIBeenPwned.com and take immediate steps to protect their accounts.

What Happened

In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised". The "pay or leak" extortion group ShinyHunters subsequently claimed responsibility and published a large trove of personal data allegedly obtained from Addi. The data included 34M unique email addresses from credit scoring requests, credit bureau records, customer identity records and email validation logs. It also contained government issued IDs (Cédula de Ciudadanía), estimated income, socioeconomic levels, purchases and other credit-related data points.

Breach date
2026-03-25
Records affected
34,532,941
Verified
Yes
Domain
addi.com

What Was Exposed

The following data types were included in the breach:

  • Age groups
  • Credit scores
  • Device information
  • Email addresses
  • Government issued IDs
  • Income levels
  • IP addresses
  • Latitude and longitude pairs
  • Names
  • Phone numbers
  • Physical addresses
  • Purchases
  • Socioeconomic levels

What You Should Do

If you had an account with Addi, take these steps immediately:

  1. Check if your account was affected at HaveIBeenPwned.com
  2. Watch for phishing emails that reference the breach or impersonate the affected company
  3. Place a fraud alert or credit freeze with all three credit bureaus (Equifax, Experian, TransUnion)
  4. Monitor your credit report for unauthorized accounts or inquiries
  5. Be alert for social engineering attempts using your exposed personal information
  6. Enable two-factor authentication on the affected service if available
  7. Consider using a password manager to generate unique passwords for each service

FAQ

Was my data in the Addi breach?
Check HaveIBeenPwned.com to see if your email address was included in the Addi breach. The breach exposed 34,532,941 records containing Age groups, Credit scores, Device information, Email addresses, Government issued IDs, Income levels, IP addresses, Latitude and longitude pairs, Names, Phone numbers, Physical addresses, Purchases, Socioeconomic levels.
What should I do if my data was exposed in the Addi breach?
Change your password on the affected service immediately. Enable two-factor authentication. If financial data or government IDs were exposed, place a fraud alert with credit bureaus and monitor your accounts for unauthorized activity.
When did the Addi data breach happen?
The Addi breach occurred on 2026-03-25. It was added to the HaveIBeenPwned database on 2026-05-18. The breach affected 34,532,941 accounts.

Need Incident Response?

Sherlock Forensics investigates data breaches for organizations. We determine scope of exposure, identify attack vectors, preserve evidence for legal proceedings and help you meet notification requirements.

Get Incident Response Help