SoFi Technologies Data Breach Class Action Lawsuit Hacker Got Into SoFi Over the Holidays. Now 38,000+ Customers Are Suing

On or around January 2, 2026, SoFi discovered unauthorized activity in its systems. The incident resulted from a social engineering attack that allowed an unauthorized individual to access certain internal systems between December 29, 2025, and January 3, 2026. On February 27, 2026, plaintiff Joshua Cook filed a class action lawsuit in the U.S. District Court for the Northern District of California, accusing SoFi of failing to protect customers’ private information. No settlement exists. The case is in its earliest stage.

Quick Facts

Field	Detail
Case Name	Cook v. SoFi Technologies Inc.
Case Number	3:26-cv-01722
Court	U.S. District Court, Northern District of California, San Francisco Division
Judge	Magistrate Judge Sallie Kim
Breach Dates	December 29, 2025 – January 3, 2026
People Affected (confirmed)	At least 38,049 Washington state residents
Settlement	None — early litigation stage
Claim Deadline	N/A
Laws Cited	FTC Act (Section 5), Illinois Consumer Fraud Act, negligence, breach of contract

Where Things Stand

• The complaint was filed February 27, 2026, and assigned to Magistrate Judge Sallie Kim. SoFi has not yet formally responded in court.
• No class has been certified, no settlement has been proposed, and no claims portal exists. Nothing requires action from affected customers right now.
• SoFi activated its incident response plan, engaged cybersecurity experts, and notified law enforcement. The company reported that no unauthorized activity has been observed since January 3, 2026.

The Breach Happened on the Quietest Weekend of the Year

The breach occurred on December 29, 2025 — the last Sunday of the year, deep in the holiday lull between Christmas and New Year’s. Attackers have long exploited these windows, knowing that response times are slower and fewer eyes are watching security monitors.

The incident resulted from social engineering — a tactic where attackers manipulate employees into granting access rather than exploiting a software vulnerability. One unauthorized individual used this method to enter SoFi’s internal systems and remained inside for six days before the company detected the intrusion on January 2, 2026.

SoFi filed its breach notification with the Washington State Attorney General on January 26, 2026 — approximately 28 days after the incident, just within Washington’s 30-day notification requirement. Affected customers received individual breach notices in late January and early February.

What Information Was Exposed — and Why It Matters

The breach compromised customers’ names, dates of birth, home addresses, email addresses, phone numbers, employment information, and education information. SoFi stated that no account numbers, passwords, or debit and credit card numbers were accessed.

That may sound reassuring, but the combination of data that was taken creates serious identity theft risk. A full name paired with a date of birth, home address, employer, and contact details gives criminals everything they need to open fraudulent credit accounts, file false tax returns, or bypass phone-based customer authentication at banks and government agencies.

Related article: Dollar Tree Class Action, Shopper Says the Receipt Printed Too Much of Her Credit Card Number and Federal Law Prohibits It

SoFi has not publicly disclosed the total number of affected individuals beyond the 38,049 Washington state residents confirmed in its state filing. Washington represents roughly 2.3% of the U.S. population, which raises questions about the true national scope of the breach — though SoFi has not confirmed any broader figure.

What the Lawsuit Accuses SoFi of Getting Wrong

The core argument in the complaint is not just that the breach happened — it’s that SoFi made it easier for attackers by ignoring basic security standards a company of its size should have had in place.

The complaint alleges SoFi failed to implement industry-standard cybersecurity measures, including minimum standards set by the NIST Shields Up guidance published by the Cybersecurity and Infrastructure Security Agency. The lawsuit argues SoFi owed customers a duty to exercise reasonable care in obtaining, retaining, securing, and protecting private information from being accessed by unauthorized persons.

Cook also claims SoFi failed to timely notify affected consumers about the breach and did not offer adequate assurances that their personal information had been recovered or destroyed. The lawsuit further argues SoFi failed to comply with FTC guidelines and industry standards for protecting consumer financial data.

The complaint asserts seven counts: negligence, negligence per se under Section 5 of the FTC Act, breach of contract, and violation of the Illinois Consumer Fraud Act, among others. SoFi has not yet filed a response.

Who Could Be Part of This Lawsuit

The plaintiff seeks to represent two groups:

• A nationwide class of all individuals whose personal information was compromised in the SoFi data breach
• An Illinois subclass of individuals whose information was exposed and who reside in Illinois, where the Illinois Consumer Fraud Act provides additional consumer protections

You may fall into one of these groups if:

• You are a current or former SoFi member whose personal information was stored in the affected systems
• You received a breach notification letter or email from SoFi in January or February 2026
• Your name, date of birth, address, email, phone number, employment details, or education information was among the data accessed

Class certification has not yet been granted. Until a court formally certifies the class, no one is officially “in” the lawsuit as a class member.

What the Lawsuit Is Asking the Court to Order

The class seeks monetary damages, lifetime credit monitoring and identity theft insurance funded by SoFi, injunctive relief requiring SoFi to overhaul its data security practices, payment of costs for notifying class members, and attorneys’ fees.

No dollar amount has been specified and no settlement has been offered. Compensation in data breach class actions varies widely depending on the size of the class, the severity of documented harm, and how courts assess the risk of future identity theft as a compensable injury.

Steps to Take If You Received a SoFi Breach Notice

No claim form exists and nothing is required right now. But these steps protect you regardless of how the lawsuit proceeds:

Step 1 — Place a free credit freeze at all three bureaus. Contact Equifax, Experian, and TransUnion directly. A freeze prevents anyone from opening new credit in your name without your explicit authorization.

Step 2 — Set up fraud alerts. A fraud alert requires creditors to verify your identity before issuing new credit. You can place one free alert with any bureau and they are required to notify the others.

Step 3 — Review your credit reports. Visit AnnualCreditReport.com for free reports from all three bureaus. Look for accounts, inquiries, or addresses you do not recognize.

Step 4 — Save your breach notification letter. Keep the original notice SoFi sent you. It documents your eligibility and may be relevant if a settlement is reached later.

Step 5 — Monitor for phishing attempts. Attackers who obtained your email address and employer information may craft targeted phishing emails designed to look like legitimate communications from SoFi or other financial institutions.

Step 6 — Watch this page for updates. This article will be updated when SoFi files its court response, when the court rules on class certification, or when any settlement is announced.

Key Dates

Milestone	Date
Breach Begins	December 29, 2025
Breach Ends	January 3, 2026
SoFi Discovers Intrusion	~January 2, 2026
SoFi Files WA State Breach Notice	January 26, 2026
Customer Notices Sent	Late January – Early February 2026
Class Action Filed	February 27, 2026
Case Assigned to Judge	February 27, 2026
SoFi Response Due	TBD
Class Certification Hearing	TBD
Settlement	None — litigation phase only
Claim Deadline	N/A

Frequently Asked Questions

Do I need a lawyer to join this lawsuit? 

Not at this stage. If the court certifies a class, affected SoFi customers are automatically included and represented by class counsel at no personal cost. You do not need to hire your own attorney unless you want to pursue an individual claim outside the class action.

Is this lawsuit legitimate? 

Yes. Cook v. SoFi Technologies Inc. is a real federal case, Case No. 3:26-cv-01722, filed in the U.S. District Court for the Northern District of California on February 27, 2026. You can verify it through the court’s PACER system or Justia’s public docket listings. These are allegations only — no finding of wrongdoing has been made.

When will I receive a payment? 

There is no payment available and no timeline to provide. Data breach class actions typically take one to three years to resolve, and many never reach a settlement. If and when a settlement is announced, this article will be updated with eligibility and claims information.

What if I missed the claim deadline?

 There is no claim deadline because no settlement exists. No action is required right now. If a settlement is reached in the future, a new deadline will be announced.

Will a settlement payment affect my taxes? 

Not applicable at this time. If a settlement is eventually reached, the tax treatment will depend on how the settlement fund is classified — whether payments compensate for actual financial losses, identity theft remediation costs, or statutory damages. Consult a tax professional when and if you receive any payment.

SoFi said my account numbers and passwords weren’t taken. Should I still be worried?

 Yes. Full names combined with dates of birth, home addresses, employer information, and contact details give criminals everything they need to apply for new credit, impersonate you on the phone with financial institutions, or launch targeted phishing attacks. The absence of passwords or account numbers does not eliminate your identity theft risk.

What is social engineering and how did it lead to this breach?

 Social engineering is a cyberattack method that manipulates people rather than systems. Instead of exploiting a software flaw, attackers convince employees — through deception, impersonation, or psychological pressure — to grant access to systems or share credentials. SoFi confirmed the breach resulted from social engineering that allowed an unauthorized individual to access certain internal systems. No software vulnerability was cited.

Is SoFi offering free credit monitoring? 

SoFi has not publicly announced a free credit monitoring program for all affected customers as of the date of this article. Check the notice you received from SoFi directly for any remediation services offered. You can also obtain free credit monitoring independently through Experian, Credit Karma, or your credit card issuer.

Sources & References

• Justia Docket — Cook v. SoFi Technologies Inc., Case No. 3:26-cv-01722
• Washington State Attorney General — SoFi Data Breach Notification Filing, January 26, 2026
• CISA NIST Shields Up Guidance — Referenced in Complaint

Last Updated: March 26, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.