Colombian fintech Addi confirms 34.5M-account breach after ShinyHunters published credit and ID data
Have I Been Pwned has added Colombian buy-now-pay-later fintech Addi to its breach corpus with 34,532,941 unique email addresses. Addi acknowledged unauthorized activity on its platform back in March 2026 and warned customers that personal data might have been compromised. ShinyHunters then claimed responsibility and published the dataset, which goes well beyond emails: credit-scoring requests, credit bureau records, customer identity files, email-validation logs, Cedula de Ciudadania national ID numbers, estimated income, socioeconomic level, and purchase history. Addi is a Bogota-based BNPL lender with $1B+ in funding and is one of the larger Latin American fintech breaches publicly documented this year.
- Check
- If your org operates in Colombia or onboards Colombian customers, search fraud and KYC pipelines for accounts created since March 2026 using a Cedula present in the leak. Monitor for synthetic-identity signals.
- Affected
- Anyone who held an Addi account before March 2026, plus organizations that rely on Colombian credit-bureau attributes or Cedula numbers for customer verification. ShinyHunters has now publicly released the data.
- Fix
- Individuals: freeze credit at DataCredito and TransUnion CIFIN, assume your Cedula and income data are public. Organizations: switch from Cedula-only verification to multi-factor identity proofing for new Colombian accounts.