700Credit, a U.S.-based financial services and fintech company, will start notifying more than 5.8 million people that their personal information has been exposed in a data breach incident.

The cyberattack occurred after a threat actor had breached one of 700Credit's integration partners in July and discovered an API for obtaining customer information. However, the partner did not inform 700Credit of the compromise.

700Credit noticed suspicious activity on its systems on October 25 and launched an investigation, with assistance from third-party computer forensic specialists.

"The investigation determined that certain records in the web application relating to customers of its dealership clients were copied without authorization," 700Credit says in the notification to affected individuals.

According to 700Credit Managing Director Ken Hill, the attacker managed to steal around 20% of consumer data from May to October before the company terminated the exposed API.

The threat actor was able to exfiltrate data due to a security vulnerability in the API, a failure to validate consumer reference IDs against the original requester.

The data types that have been exposed include:

• Full name
• Physical address
• Date of birth
• Social Security Number (SSN)

700Credit is one of the largest providers of credit reporting, identity verification, and fraud and compliance services for automotive dealers across the United States. According to the company, it provides credit reports and soft pull solutions to more than 23,000 automotive, RV, Powersports, and Marine dealer customers.

It is worth noting that the company filed with the Federal Trade Commission (FTC) a breach notification on its behalf and a consolidated one on behalf of all its affected dealer clients.

700Credit customers impacted by the breach no longer have to file a notice with the FTC or with state attorney general's Offices, as the company will do it on their behalf as well.

700Credit also informed the National Automobile Dealers Association (NADA) about the incident to raise awareness.

A dedicated page on the company's website provides general details about the data breach and the type of information impacted.

To help affected individuals mitigate the risk, 700Credit is offering a 12-month free-of-charge identity protection and credit monitoring service through TransUnion, with a 90-day to enrollment period.

Recipients of the data breach notification are advised to monitor their accounts closely and consider placing a security freeze.

At the time of writing, no ransomware groups claimed the attack. BleepingComputer has contacted 700Credit to learn more about the incident, but a comment wasn’t immediately available.