Breach: Addi (34,532,941 accounts) — Age groups, Credit scores, Device information

On March 25, 2026, a data breach affecting Addi, a fintech platform, was published on Have I Been Pwned, exposing 34,532,941 accounts. The compromised data includes age groups, credit scores, and device information. This incident falls under the BREACH framework, indicating a confirmed and verified breach of personal data.

This breach primarily impacts financial services and fintech organizations, particularly those operating in consumer lending or digital credit assessment. Any entity that relies on similar data categories—such as age demographics, credit scoring, or device fingerprinting—should consider this a material risk indicator. The scale of the breach suggests that affected individuals may now face increased exposure to identity theft, targeted phishing, or credit fraud.

Compliance teams should immediately verify whether their organization has any data-sharing or service relationships with Addi. If so, conduct a Data Protection Impact Assessment and notify relevant supervisory authorities under GDPR Article 33 within 72 hours if there is a risk to data subjects. Additionally, review incident response plans for handling large-scale breaches, and consider updating customer communication templates to address potential phishing campaigns leveraging the exposed data. Finally, reassess third-party vendor risk management processes to ensure similar exposures are mitigated in future.