ShellCodeX
Tools • Events • News • Insights
ShellCodeX Breach Report

Addi Data Breach

addi.com
Major exposure
Verified breach
Accounts exposed 34,532,941
Breach date 25 Mar 2026
Added to tracker 18 May 2026
Data classes 13

What happened

In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised". The "pay or leak" extortion group ShinyHunters subsequently claimed responsibility and published a large trove of personal data allegedly obtained from Addi. The data included 34M unique email addresses from credit scoring requests, credit bureau records, customer identity records and email validation logs. It also contained government issued IDs (Cédula de Ciudadanía), estimated income, socioeconomic levels, purchases and other credit-related data points.

Exposed data

Age groups Credit scores Device information Email addresses Government issued IDs Income levels IP addresses Latitude and longitude pairs Names Phone numbers Physical addresses Purchases Socioeconomic levels

Recommended actions

  • Watch for targeted phishing emails referencing Addi — attackers weaponise breach data quickly.
  • Stay alert for smishing (SMS phishing) and SIM-swap attempts using your phone number.
  • Exposed identity data raises identity-theft risk — consider credit monitoring or a credit freeze.
  • Check whether your email address appears in this breach on haveibeenpwned.com.
Am I affected? Check whether your email address appears in this breach.
Check on HIBP