Prosper Data Breach Lawsuit, 17.6 Million Records Exposed, What Customers and Applicants Need to Know

ByAll About Lawyer Reading Time: 6 minutes

Prosper Marketplace, one of the country’s largest peer-to-peer lending platforms, suffered a major data breach in 2025 that may have exposed the personal and financial information of up to 17.6 million people. What makes this breach particularly serious is that hackers reportedly had access to Prosper’s internal systems for nearly three months before the company detected the intrusion. Multiple class action lawsuits have since been filed. Here is what happened, who is affected, and what you can do.

What Is Prosper Marketplace?

Prosper Marketplace, Inc. is an online lending platform that connects borrowers and investors through personal loans and financial products. Founded in 2005, Prosper has facilitated billions in loans and serves customers nationwide. Because it handles detailed financial applications — including income data, Social Security numbers, and government IDs — it stores some of the most sensitive personal information any consumer-facing platform can hold.

What Happened and When?

The investigation determined that an unauthorized third party accessed certain files containing sensitive information between June and August 2025. On September 1, 2025, Prosper Marketplace, Inc. and Prosper Funding LLC detected the security breach, where an unauthorized party accessed their systems containing sensitive information, according to a report filed with the Securities and Exchange Commission.

This timeline matters. The gap between June and September 2025 means hackers may have had silent access to Prosper’s systems for up to three months before the company noticed. That kind of prolonged access is not a brief intrusion — it suggests the attacker had time to methodically query databases and extract large volumes of data without triggering alerts.

Prosper later determined that unauthorized queries were run against databases containing customer and applicant information during that period. Breaches involving database queries often raise serious questions about access controls, monitoring, and delayed detection.

What Data Was Exposed?

The information exposed included at least names, Social Security numbers, IP addresses, physical addresses, government-issued IDs, income levels, and email addresses. Depending on the individual account, the data involved may also include dates of birth, bank account information, tax data, and credit application details.

This combination is especially dangerous. Social Security numbers and government IDs, combined with income levels and financial history, give bad actors nearly everything they need to open fraudulent credit accounts, file false tax returns, or take out loans in someone else’s name.

Related article: Claude AI Down Worldwide March 2026 Causes, Scope & What Users Need to Know

Prosper Data Breach, 17.6 Million Records Exposed, What Customers and Applicants Need to Know

How Many People Were Affected?

The breach reportedly affected 17.6 million people, and that number may increase as the investigation continues. After investigating the data breach, Prosper conclusively determined that personal identity information and financial information had been accessed and copied, and began notifying customers on September 17, 2025.

Importantly, the affected group is broader than just existing Prosper customers. Prosper’s disclosures reference customer and applicant databases — meaning even if you did not ultimately take out a loan, submitting personal or financial information as part of an application could place you within the impacted group. If you ever applied to Prosper — even without completing the process — your data may still have been at risk.

What Do the Lawsuits Claim?

Multiple data breach class action lawsuits were filed against Prosper in late 2025, alleging that sensitive personal information of 17.6 million customers was exposed as a result of inadequate security measures. One named case is Taylor v. Prosper Funding, LLC, which alleges Prosper was negligent in implementing sufficient security protocols to protect user data.

The lawsuits broadly allege negligence, breach of implied contract, and violations of applicable consumer protection statutes. Plaintiffs argue that Prosper’s failure to detect the intrusion for up to three months — and its storage of highly sensitive financial data without adequate safeguards — fell below industry standards and legal requirements.

Claimed harms include unauthorized charges, drained accounts, fraudulent loans or credit misuse tied to the breach, expenses related to credit freezes and monitoring services, hours spent securing accounts and disputing charges, and the ongoing stress and disruption caused by the risk of identity theft or financial harm.

What Has Prosper Said?

Following the breach, Prosper implemented enhanced security measures and continues to monitor its systems. The company stated it took steps to contain the incident after detection, engaged outside cybersecurity experts, and notified law enforcement. It has also begun notifying affected individuals by email and mail.

Prosper has not made detailed public statements about how the attackers gained access or why the intrusion went undetected for multiple months. Those questions are central to the pending lawsuits.

A Pattern Worth Noting

This is not Prosper’s first encounter with federal regulators. Between 2006 and October 2008, Prosper Marketplace was involved in offering and selling promissory notes that were classified as unregistered securities, violating both federal and state laws. The SEC issued an administrative order against Prosper in November 2008, and Prosper agreed to cease and desist from future violations.

While that case involved securities compliance rather than data security, it adds context to the company’s longer regulatory history as the current lawsuits proceed.

State Law Angles That May Strengthen Claims

If you live in California, you may be entitled to compensation of up to $750 under state privacy laws. If you live in Virginia, you may be entitled to up to $500 under Virginia’s Unfair and Deceptive Acts and Practices statute.

California’s Consumer Privacy Act (CCPA) gives residents specific rights over how companies collect, store, and protect their personal data — and provides for statutory damages when those obligations are breached. Several other states have passed similar laws in recent years, meaning where you live may significantly affect the legal options available to you.

What Should Affected Customers Do Now?

Whether or not you plan to pursue legal action, these steps are worth taking immediately:

  • Check for a breach notice — Prosper began mailing and emailing notifications on September 17, 2025. You can also call 833-918-9464 to confirm whether your account was affected.
  • Place a credit freeze with all three major bureaus — Equifax, Experian, and TransUnion — at no cost. This prevents new credit accounts from being opened in your name.
  • Set up fraud alerts as an additional layer of protection if you prefer not to freeze credit entirely.
  • Monitor financial accounts closely for unauthorized charges, new accounts, or loan applications you did not initiate.
  • Save all documentation — keep copies of the breach notice, any suspicious account activity, and records of time and money spent protecting yourself. This documentation may be relevant if you pursue a claim.
  • Consult a qualified attorney if you believe you have been harmed. A data privacy attorney can assess your specific situation and advise on applicable state and federal legal options.

FAQs

What is the Prosper data breach? 

On September 1, 2025, Prosper Marketplace, Inc. and Prosper Funding LLC detected a security breach where an unauthorized party accessed their systems containing sensitive information. The breach reportedly affected as many as 17.6 million people.

What personal information was exposed in the Prosper breach? 

Exposed information included at least names, Social Security numbers, IP addresses, physical addresses, government-issued IDs, income levels, and email addresses. Some accounts may also have had financial and tax data compromised.

I only applied for a Prosper loan but never completed it — am I affected?

 Possibly. Prosper’s breach involved both customer and applicant databases. If you submitted personal or financial information as part of an application — even one you did not complete — your data may have been among the records accessed.

How long did hackers have access to Prosper’s systems? 

The investigation determined that unauthorized access occurred between June and August 2025 — up to three months before Prosper detected the breach on September 1, 2025.

Have lawsuits been filed against Prosper?

 Yes. Multiple data breach class action lawsuits were filed against Prosper in late 2025, alleging that 17.6 million customers’ data was exposed as a result of inadequate security measures. One named case is Taylor v. Prosper Funding, LLC.

Do I need to have experienced identity theft to file a claim?

 Not necessarily. You do not need to experience immediate financial theft for exposure of this kind of data to be legally significant. Courts increasingly recognize that long-term risk and time spent protecting yourself constitute real, compensable harm.

How do I confirm my data was affected? 

Prosper began notifying affected individuals by email and mail on September 17, 2025. You can also call Prosper directly at 833-918-9464 to confirm whether your information was involved.

Last Updated: March 3, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Laws and legal procedures vary by jurisdiction and may change over time. For advice regarding a specific situation, consult a qualified attorney or the appropriate authority.

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *