Credit reporting and identity verification firm 700Credit has disclosed a major data breach affecting more than 5.8 million individuals. The incident stemmed from a compromised third-party API connected to the company’s web application, not from a breach of its internal network.

The exposed data includes highly sensitive personal information such as Social Security numbers, creating significant identity theft and fraud risks. Federal and state authorities have been notified, and affected individuals will receive credit monitoring services.

700Credit is a major provider of credit checks, fraud detection, and identity verification services for the automotive and specialty vehicle dealership sector. The company supports approximately 18,000 dealerships across North America and processes large volumes of consumer financial data.

Third-party APIs are widely used to integrate external services into web applications. While they increase efficiency, they also introduce supply chain risk when partner systems are compromised.

700Credit identified unauthorized activity on October 25, 2025. An investigation determined that attackers compromised a partner system in July 2025 and used that access to interact with an API connected to the 700Dealer.com web application.

Through this access, threat actors copied consumer records associated with dealership clients. The activity continued until the attackers were removed, with data exposure occurring between May and October 2025.

The company emphasized that its internal corporate network was not breached and that the incident was limited to the application layer.

The breach originated from a third-party API used by the 700Dealer.com application. Once attackers gained access to the partner environment, they were able to query or extract records through the API interface.

APIs often act as trusted conduits between systems. If authentication, monitoring, or access controls are insufficient, attackers can exploit that trust to extract large datasets without triggering traditional security alarms.

In this case, attackers were able to copy customer records without authorization before access was terminated.

According to filings with state regulators, 5,836,521 individuals were affected. The compromised data generally includes names, addresses, dates of birth, and Social Security numbers.

The scale and sensitivity of the exposed data significantly increase the risk of identity theft, account fraud, and long-term financial harm for affected individuals.

This incident underscores the growing risk posed by third-party dependencies in sensitive data ecosystems. Even when a company’s internal systems remain secure, partner integrations can expose millions of records.

For organizations handling financial and identity data, API security and continuous partner risk assessment are no longer optional safeguards.

Michigan Attorney General Dana Nessel emphasized the importance of rapid consumer action, noting that credit freezes and monitoring services can significantly reduce fraud risk following a breach of this nature.

Regulators continue to stress shared responsibility across vendors, partners, and service providers in protecting consumer data.