Breach taxonomy
Summary
On September 1, 2025, Prosper Marketplace identified that an unauthorized third party gained access to company systems containing proprietary, confidential, and personal information, including Social Security numbers, obtained through unauthorized queries on customer and applicant databases. Customer-facing operations were uninterrupted and no customer accounts or funds were compromised. Prosper initiated its cybersecurity response plan, engaged outside experts, and notified law enforcement. The company was still determining the full scope of exposed records as of filing and had not yet assessed materiality. Prosper holds cybersecurity insurance.
Tagging rationale
ThreatUnknown
Filing refers to 'an unauthorized third party' without attributing the incident to any specific actor category -> UNKNOWN.
MethodsData Exfil
Unauthorized third party made unauthorized queries on company databases to extract customer and applicant data -> DATA-EXFIL.
AssetsPersonal DataConfidential Biz
Filing confirms confidential, proprietary, and personal information including Social Security numbers was obtained via unauthorized database queries -> PERSONAL-DATA and CONFIDENTIAL-BIZ.
EffectsInfo Privacy Loss
Personal information including Social Security numbers of customers and applicants was obtained without authorization -> INFO-PRIVACY-LOSS.
Impact
Online lending marketplace with confirmed exfiltration of customer SSNs via unauthorized database queries; operations uninterrupted, no accounts/funds compromised; full scope undetermined at filing -> score 2.
InsuranceYes
Filing references 'the cost to the Company of its insurance policy covering cybersecurity incidents' in direct connection with this incident -> true.
Read the original SEC filing excerpt
ITEM 8.01 - Other Events. On September 1, 2025, Prosper Marketplace, Inc. ("PMI") and Prosper Funding LLC ("PFL", and together with PMI, the "Company") identified that an unauthorized third party gained access to the Company's systems that contain proprietary and confidential information. The Company promptly initiated its cybersecurity response plans and began taking steps to investigate, contain, and remediate the incident and enhance its security measures with the assistance of cybersecurity experts. The Company has also informed law enforcement. There is no evidence of unauthorized access to customer accounts and funds, and the Company's customer-facing operations continue uninterrupted. As of the date of this filing, the Company has determined that the incident has not had a material impact on its overall business operations, or on PMI and PFL individually. While the Company's investigation is ongoing, the Company has evidence that confidential, proprietary, and personal information, including Social Security numbers, was obtained, including through unauthorized queries made on Company databases that store customer and applicant data. The Company is still in the process of identifying what information, including the number of records of personal information, was compromised. The Company will make required regulatory and individual notifications on a rolling basis. The Company has yet to determine the full scope and impact of the incident and therefore the Company has yet to determine whether the incident is reasonably likely to materially impact its financial condition and results of operations, or PMI and PFL individually. The Company remains subject to various risks due to the incident, and an increase in the cost to the Company of its insurance policy covering cybersecurity incidents.