Addi Fintech Breach: 34 Million Accounts Exposed by ShinyHunters

/HIGH
Written by SCW Research Research & Analysis
SCW data-breachidentity
Addi Fintech Breach: 34 Million Accounts Exposed by ShinyHunters

In March 2026, the Colombian fintech Addi reported unauthorized activity on its platform, cautioning customers about potential personal information compromise. The “pay or leak” group ShinyHunters subsequently claimed responsibility, publishing a massive data trove allegedly exfiltrated from Addi.

Have I Been Pwned confirms the breach exposed 34 million unique email addresses. This data originated from credit scoring requests, credit bureau records, customer identity records, and email validation logs. Critically, the leak also included sensitive government-issued IDs (Cédula de Ciudadanía), estimated income, socioeconomic levels, purchase history, and other credit-related data points.

This incident highlights the severe risks fintech companies face. The depth of personal and financial data held by Addi makes this a goldmine for identity theft and sophisticated social engineering campaigns. Defenders must recognize that such comprehensive datasets enable attackers to craft highly convincing phishing lures and bypass less robust authentication mechanisms.

What This Means For You

  • If you are an Addi customer, assume your full identity profile is compromised. Monitor your credit reports diligently for fraudulent activity. Be extremely wary of any communications, especially those referencing financial details or government IDs, as attackers now possess the context to make them highly believable. This is a clear indicator that data integrity for fintechs must be paramount; a single breach can expose users to long-term financial and identity risks.

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1041 Exfiltration

ShinyHunters Data Exfiltration via Web Server

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Written by SCW Research

Take action on this incident
📡 Monitor addi.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on Addi All breaches, IOCs & vendor exposure

Related coverage on Addi

Tabiq Hotel Platform Leaks 1 Million Passports and IDs via AWS S3

A critical misconfiguration in the Reqrea's Tabiq hotel check-in system has exposed over one million sensitive guest documents, including passports, driver's licenses, and selfie verification...

threat-inteldata-breachmalwarecloudidentity
/SCW Research /HIGH /⚙ 2 Sigma

node-ipc npm Package Compromised to Steal Credentials

BleepingComputer reports a critical supply chain attack targeting the popular `node-ipc` npm package. Attackers injected credential-stealing malware into newly published versions, specifically targeting developers who...

threat-inteldata-breachmalwareidentity
/SCW Research /HIGH /⚙ 3 Sigma

CISA Mandates Cisco SD-WAN Patch for Federal Agencies

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring all federal agencies to patch a critical vulnerability in Cisco SD-WAN...

threat-inteldata-breachgovernmentvulnerabilityidentitytools
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs /⚙ 3 Sigma