“We weren’t validating IDs”: Inside the 700Credit breach that exposed nearly 6 million car buyers
What happened to 700Credit and car buyers?
In late October 2025, auto finance data provider 700Credit suffered a major incident that exposed sensitive information on roughly 5.8 million people who applied for vehicle financing through about 18,000 U.S. dealerships. The stolen data includes names, addresses, dates of birth, and Social Security numbers tied to credit checks run for car purchases and leases.
Attackers quietly prepared the breach for months by compromising a small outside firm that handled finance and accounting work for independent auto dealers and used 700Credit’s systems every day. According to 700Credit managing director Ken Hill, the company discovered the active “velocity attack” on October 25 and shut it down within about 90 minutes, but by then the intruders had scraped about 20% of the company’s consumer records. (AmericanBanker.com)
How did hackers break in through a vendor?
The attackers first breached an unnamed third‑party partner in July 2025, then read that vendor’s communication logs to see exactly how its platform talked to 700Credit’s servers. Those logs exposed credentials and decryption keys the partner used to call 700Credit’s application programming interface (API), which let the intruders impersonate a legitimate client system when they later hit 700Credit directly.
700Credit’s platform relied on “consumer reference IDs” to pull credit data, but the system did not confirm that a given ID actually belonged to the dealer account making the request, which meant anyone with valid partner credentials could submit large batches of guessed IDs and harvest unrelated consumer files. “We weren’t validating the consumer reference IDs to the original requestor,” Hill admitted in an interview, describing how the logic flaw turned the partner’s stolen keys into a powerful scraping tool. (AmericanBanker.com)
What exactly did the attackers do with the API?
Once the hackers understood the API pattern and the way reference IDs worked, they launched a high‑speed “velocity attack” on October 25, firing off millions of sequential and randomized IDs in a short burst. Hill said the surge lasted about an hour and a half before security teams spotted the abnormal traffic and disabled the compromised integration, but the attackers had already copied months’ worth of log‑accessible consumer records accumulated between May and October.
Although 700Credit encrypts data at rest and in transit, the compromised partner’s account legitimately held a decryption key so it could see clear‑text results, which meant the intruders could read whatever the API returned. Forensic investigators later confirmed that the incident stayed in the application layer, with no malware installed on 700Credit’s internal network and no ransomware deployed. (AmericanBanker.com)
Did 700Credit pay the attackers, and is the data really safe?
Hill told CBT News there were “several heated conversations” inside the company about whether to pay the attackers to prevent public release of the data, reflecting the pressure to protect both dealers and consumers. He stopped short of confirming a payment but said he is proceeding on the assumption that the stolen data has been contained, based on direct assurances from the threat group that they would not circulate it.
At the same time, Hill conceded the uneasy reality that this confidence rests on trusting the word of criminals: “We believe we’ve secured the data… you’re trusting the word of someone that attacked you.” Regulators and security experts have warned that even when attackers promise deletion, breached consumers should act as though their data could surface on criminal markets at any time. (AmericanBanker.com) (CBTNews.com)
How are regulators treating the breach?
Because auto dealers are classified as financial institutions for data‑security rules, the Federal Trade Commission’s safeguard regulation would normally force each affected dealership to file its own breach report within 30 days. To avoid burying regulators in thousands of duplicative filings, the National Automobile Dealers Association (NADA) worked with 700Credit and the FTC on a one‑time arrangement that lets 700Credit submit a single consolidated notice for all of its impacted dealer clients.
In a December 2 notice, NADA told members that the FTC had accepted the plan and that “dealers have no obligation to file a breach notice with the FTC related to this matter,” though they still have to comply with state‑level consumer‑notification laws. 700Credit has agreed to handle most of those state notifications and mail letters to affected car buyers on dealers’ behalf, but lawyers emphasize that legal responsibility for the data generally still rests with the dealership as the “custodian.” (NADA.org) (700Credit.com)
What are attorneys general and courts doing?
Michigan Attorney General Dana Nessel, whose state alone has roughly 160,000 affected residents, urged anyone who receives a 700Credit notification letter not to “ignore it” and to act quickly to reduce the risk of identity theft. “It is important that anyone affected by this data breach takes steps as soon as possible to protect their information,” she said, pointing to credit freezes, monitoring and careful review of financial statements as key defenses.
Even before 700Credit publicly listed all impacted individuals, plaintiffs’ firms began filing class‑action suits alleging inadequate safeguards and delayed disclosure. These complaints argue that exposing Social Security numbers and birth dates creates long‑term harm for consumers, because such core identifiers cannot be changed easily, if at all. (Michigan.gov) (ClassActionU.org)
What is 700Credit doing for affected consumers and dealers?
700Credit has said it will offer 12 months of free credit monitoring and identity‑restoration services through TransUnion, and will send notification letters as it confirms which individuals were in the scraped data sets. The company has also reported the incident to federal regulators, notified the FBI, and hired outside cybersecurity experts to review its systems, close the validation gap on consumer reference IDs, and harden partner integrations.
Hill has urged dealers to examine their wider vendor ecosystem, warning that compliance rules now expect them to understand and question the security practices of every outside platform that touches consumer data. “I would encourage dealers to look at their vendors… understand their security policies, processes in place, and understand their cyber security,” he said in a December webinar, casting the breach as a wake‑up call for the entire retail‑auto finance chain. (700Credit.com) (SecurityWeek.com)
