A threat actor has released a large database on a popular hacking forum that allegedly came from LendingTree.com. We have analyzed the data and confirmed that it includes extensive private information from 200,643 loan applications from the United States, but LendingTree is denying a breach.
LendingTree is a publicly-traded company based in Charlotte, North Carolina that specializes in connecting consumers with lenders. Consumers can complete loan applications and surveys on LendingTree’s website and then assess different lending options, credit cards, and insurance.
From LendingTree’s website:
We help you get your best deal possible on your loans, period. By giving consumers multiple offers from several lenders in a matter of minutes, we make comparison shopping easy. And we all know-when lenders compete for your business, you win!
LendingTree.com
Earlier this month, two different forum users posted the database allegedly breached from LendingTree.com. In the most recent post, dated June 18, 2022, the user decided to post the “LendingTree DB for free”. This appears to be based on a disagreement with another user who was attempting to sell the same database on the forum.
Either way, this database is currently available for anyone to download and view if you have the URL for access.
We downloaded the file and analyzed the data.
200,643 mortgage leads from the US
We were able to access and analyze the database and can confirm it includes the following data for every submitted entry (customer):
- Email address
- Name (first and last)
- Physical address
- Phone number
- IP address
- Data and time of loan form submission
- Source of lead (LendingTree.com)
- Loan type that the applicant is seeking
- Home description
- Credit profile score
- Property use
- Military status
- Price
The database contains 200,643 entries.
All of the entries are dated between October and November 2021 with the source being listed as LendingTree.com.
Here is a sample of just three entries from the database with PII redacted.
All of the entries that we attempted to verify using publicly available search tools match real-world people.
That is not to say that every entry is completely legitimate, however, as visitors to LendingTree.com could potentially enter fake information to check on loan rates, for example. However, all of the entries we analyzed in the database do appear to match with real people in the United States.
We reached out to LendingTree for comment on the situation and they provided us with this statement:
We previously conducted an investigation on this data set, and have determined that this data leak did not originate at LendingTree.
– LendingTree statement to RestorePrivacy
We maintain a comprehensive information security program and continually work to help protect the data of our customers.
While LendingTree itself is denying responsibility for the breach, it is directly listed as the source for the entries in this data set, as you can see in the sample above.
Things get even more complex when we dig into LendingTree’s Privacy Policy.
LendingTree shares user data with a large network of third parties
Looking at LendingTree’s Privacy Policy, we find that the business shares user data with a wide network of third parties:
- LendingTree Affiliates
- Network Partners
- Financial Companies
- Other Business Partners
- LendingTree Service Providers
- Other Situations
Each bullet from the list above includes a longer explanation about how user data is getting passed around. You can read about it here.
This section details how data is shared through a network of third parties whenever a visitor to LendingTree.com submits in inquiry on the site.
When you submit an inquiry or use another Service provided through the Website, you direct LendingTree to share information about you or provided by you with lenders and other third parties in our network to deliver the products and services you request (collectively, “Network Partners”).
So, if you use the LendingTree website, you “direct LendingTree to share information about you” with a network of other parties.
And how well are these other parties safeguarding your private data?
Who exactly is responsible for the current data breach that labels LendingTree.com as the source of information?
We don’t have any clear answers, unfortunately. With so many different parties sharing user data, finding the answer could be challenging.
LendingTree’s previous data breach in 2008
Should this information prove to be accurate, and we have no reason to doubt otherwise, this would not be the first time that LendingTree.com has suffered a data breach. Back in 2008, news broke that customer data was exposed to third parties. In this particular case, LendingTree blamed “insiders” for the breach.
Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree’s customer information by sharing confidential passwords with the lenders. When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with the investigation. We promptly made several system security changes. We also brought lawsuits against those involved.
– LendingTree’s 2008 data breach disclosure to customers
Risks of this (new) data breach
Cyber criminals are getting increasingly advanced in their attempts to exploit user data for profit. We see this with advanced phishing techniques as well as identity theft and financial fraud cases.
In this particular situation, it appears that hundreds of thousands of people have their data exposed for anyone to download and exploit.
Not only does this put all of these people at risk for identity theft and financial fraud, it also puts them at risk for targeted attacks pertaining to home loans. Cyber criminals could utilize the private information of these applications, including names, addresses, phone numbers, and credit scores, to open accounts in the victim’s name and possibly carry out financial transactions.
As noted in the beginning of the article, threat actors are already attempting to sell and barter the data on hacking forums.
Those who are affected by this data breach should be particularly vigilant against compromised accounts, hacking attempts, as well as identity theft and fraud.
You can check whether your email has been compromised by using the Have I Been Pwned website from cybersecurity researcher Troy Hunt.
Hi Sven,
Great reporting and analysis!
From the above, there doesn’t appear to be a mechanism for the customers to be informed to the risk they now face.
How every unsatisfactory.
BoBeX
Nothing is secure [anymore] and IT professionals, Informatics branches, working for these large corporations including government need to realize this. They bombard us and inconvenience us by forcing us to change our password every three to six months with ridiculous naming conventions. Worst of all, they don’t allow us to use password managers.
Rather than changing their approach and mindset, these entities or governments continue repeating the same-old all in the name of “privacy” and “security” without taking [additional] measures to ensure their infrastructure is protected as best as possible.
For the most part, these large corporations would rather pay (a settlement) and pass on the costs to their customers than change their “ways”. Sooner or later, every one of them will be hacked given a like-minded attitude.
BTW, I have never heard of “lendingtree”.
Class action lawsuit time?