700Credit, an automotive credit-reporting and dealership services provider, has confirmed a data breach that exposed the Social Security numbers and personal information of an estimated 5.6 to 5.8 million individuals nationwide. The company detected suspicious activity on October 25, 2025, and brought in third-party forensic support to investigate. Public reporting and state attorney general disclosures point to a compromised integration partner and an abused API connection tied to the 700Dealer.com platform as the vector for a sustained, high-volume data extraction event.
What Happened
700Credit sits at the center of the automotive retail ecosystem, brokering credit reports and consumer financial data between lenders, credit bureaus, and thousands of car dealerships. According to security reporting, the chain began in July 2025 with the compromise of one of 700Credit's integration partners. Attackers subsequently discovered and leveraged an API used to retrieve consumer information.
The company noticed suspicious activity on October 25, 2025, and launched an investigation with outside forensic specialists. Dealer-focused industry reporting characterized the incident as a sustained, high-velocity event lasting more than two weeks, with extraction activity tied to the 700Dealer.com platform and an API connection. Michigan's Attorney General stated that the breached data was collected from dealers between May 2025 and October 2025, establishing the earliest confirmed exposure window. At least one statutory filing narrowed the core incident window to October 25 through October 27, 2025.
By February 2026, related lawsuits were consolidated in the U.S. District Court for the Eastern District of Michigan under the caption In re 700 Credit Data Security Incident Litigation, with a consolidated complaint deadline of February 20, 2026.
What Was Taken
The exposed data centers on Social Security numbers, the most sensitive identifier handled in the credit-reporting workflow. Public reporting as of February 20, 2026 continued to cite an affected population of approximately 5.6 to 5.8 million individuals nationwide.
State-level figures provide additional scale. Disclosures named more than 160,000 Michigan residents and 108,829 South Carolina residents among those affected. Because the data was harvested from dealership credit-application pipelines, the records almost certainly carry the full bundle of information required for an auto loan: names, SSNs, and associated financial and identity details. At the time of its most recent updates, 700Credit maintained that it had not identified confirmed identity theft or fraud directly tied to the incident.
Why It Matters
This breach is a textbook illustration of third-party and integration risk in a tightly coupled data-sharing ecosystem. 700Credit was not breached through its own front door; the initial foothold came through an integration partner, and the bulk extraction rode an API built to move consumer data at scale. Defenders should treat every trusted integration as part of their own attack surface.
The volume and sensitivity are the strategic story. Millions of SSNs collected from auto-loan applications represent a high-value, long-shelf-life dataset for identity theft and synthetic identity fraud. Unlike a leaked password, an SSN cannot be rotated. The fact that 700Credit reported no confirmed fraud at the time does not lower the risk; large SSN datasets often surface in fraud campaigns months or years after exfiltration.
The incident also underscores the regulatory and legal weight of these events. Consolidated federal litigation and active attorney general scrutiny across multiple states signal that breaches of this scale carry sustained legal and compliance exposure well beyond the initial notification.
The Attack Technique
The most detailed public account describes a supply-chain style intrusion. In July 2025, one of 700Credit's integration partners was compromised. From that position, the attackers identified an API used to retrieve consumer information and used it to pull data over an extended period.
Dealer and industry reporting describe a sustained, high-velocity extraction lasting more than two weeks, with the activity tied to the 700Dealer.com platform and its API connection. This pattern, valid credentials or trusted-partner access feeding automated bulk pulls through a legitimate API, is consistent with abuse that blends into normal traffic and evades signature-based detection until volume anomalies trigger an alert. Detection on October 25, 2025 appears to have come well after the access window opened, reflecting the difficulty of spotting authorized-looking API queries. No government authority had publicly named a specific threat actor as of the latest updates.
What Organizations Should Do
- Inventory and monitor every third-party integration and API connection that can reach consumer or financial data. Treat partner credentials as a primary attack vector and map exactly what each integration can read.
- Enforce rate limiting, anomaly detection, and volume baselining on data-retrieval APIs. A two-week, high-velocity extraction should trigger automated alerts long before manual discovery.
- Apply least-privilege scoping to API tokens and partner accounts so a single compromised integration cannot pull the full consumer dataset.
- Require breach-notification and security-attestation clauses in partner contracts, and validate that integration partners meet your own monitoring and incident-response standards.
- Dealerships that received 700Credit notifications should document the systems and data involved, contact the dedicated support line at (866) 273-0345 for operational questions, and engage their own legal counsel to assess notification obligations and regulatory exposure, since 700Credit does not provide legal guidance.
- Offer affected consumers credit monitoring and encourage credit freezes; because SSNs cannot be reissued, freezes are the most durable protection against downstream identity and synthetic-identity fraud.