• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
Restore Privacy

Restore Privacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

Hacker Leaks Database Claiming to be from LendingTree

June 21, 2022 By Sven Taylor — 3 Comments
LendingTree Data Breach

A threat actor has released a large database on a popular hacking forum that allegedly came from LendingTree.com. We have analyzed the data and confirmed that it includes extensive private information from 200,643 loan applications from the United States, but LendingTree is denying a breach.

Update: Cybersecurity researcher Catalin Cimpanu discovered that LendingTree has formally acknowledged a data breach with the California Attorney General’s office on June 29th (more information has been added to the article below).

LendingTree is a publicly-traded company based in Charlotte, North Carolina that specializes in connecting consumers with lenders. Consumers can complete loan applications and surveys on LendingTree’s website and then assess different lending options, credit cards, and insurance.

From LendingTree’s website:

We help you get your best deal possible on your loans, period. By giving consumers multiple offers from several lenders in a matter of minutes, we make comparison shopping easy. And we all know-when lenders compete for your business, you win!

LendingTree.com

Earlier this month, two different forum users posted the database allegedly breached from LendingTree.com. In the most recent post, dated June 18, 2022, the user decided to post the “LendingTree DB for free”. This appears to be based on a disagreement with another user who was attempting to sell the same database on the forum.

Either way, this database is currently available for anyone to download and view if you have the URL for access.

LendingTree data breach leak 2022

We downloaded the file and analyzed the data.

200,643 mortgage leads from the US

We were able to access and analyze the database and can confirm it includes the following data for every submitted entry (customer):

  • Email address
  • Name (first and last)
  • Physical address
  • Phone number
  • IP address
  • Data and time of loan form submission
  • Source of lead (LendingTree.com)
  • Loan type that the applicant is seeking
  • Home description
  • Credit profile score
  • Property use
  • Military status
  • Price

The database contains 200,643 entries.

The entries are dated between October and November 2021 with the source being listed as LendingTree.com.

Here is a sample of just three entries from the database with PII redacted.

LendingTree Data Breach Screenshot

All of the entries that we attempted to verify using publicly available search tools match real-world people.

LendingTree denies the data breach

We reached out to LendingTree for comment on the situation.

Arun Sankaran, LendingTree’s CISO, provided us with this statement:

We were made aware of this dataset earlier this year from another site and at that time compared it to our consumer database and were unable to attribute it to LendingTree. What you are referring to in the dataset as “LendingTree.com” is a tag for data source that is intended to differentiate data from multiple sources that is generally added by the consumer of data not the furnisher.

If this data had originated from LendingTree and leaked by a “down-stream source” as you suggested, we would have worked to identify the partner and worked with their Security team to investigate and address the issue and notify appropriate parties.

In addition, we have a 3rd Party Risk program that evaluates the security posture and practices of our partners, and we work with these organizations to address any identified risks.

– LendingTree statement to RestorePrivacy from Arun Sankaran on June 22, 2022

While LendingTree itself is denying responsibility for the breach, LendingTree is directly listed as the source for every entry in this data set, as you can see in the sample above.

Things get even more complex when we dig into LendingTree’s Privacy Policy.

LendingTree shares user data with a large network of third parties

Looking at LendingTree’s Privacy Policy, we find that the business shares user data with a wide network of third parties:

  • LendingTree Affiliates
  • Network Partners
  • Financial Companies
  • Other Business Partners
  • LendingTree Service Providers
  • Other Situations

Each bullet from the list above includes a longer explanation about how user data is getting passed around. You can read about it here.

This section details how data is shared through a network of third parties whenever a visitor to LendingTree.com submits in inquiry on the site.

When you submit an inquiry or use another Service provided through the Website, you direct LendingTree to share information about you or provided by you with lenders and other third parties in our network to deliver the products and services you request (collectively, “Network Partners”).

So, if you use the LendingTree website, you “direct LendingTree to share information about you” with a network of other parties.

And how well are these other parties safeguarding your private data?

Who exactly is responsible for the current data breach that labels LendingTree.com as the source of information?

We don’t have any clear answers, unfortunately. With so many different parties sharing user data, finding the answer could be challenging.

LendingTree’s previous data breach in 2008

Should this information prove to be accurate, and we have no reason to doubt otherwise, this would not be the first time that LendingTree.com has suffered a data breach. Back in 2008, news broke that customer data was exposed to third parties. In this particular case, LendingTree blamed “insiders” for the breach.

Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree’s customer information by sharing confidential passwords with the lenders. When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with the investigation. We promptly made several system security changes. We also brought lawsuits against those involved.

– LendingTree’s 2008 data breach disclosure to customers

Risks of this (new) data breach

Cyber criminals are getting increasingly advanced in their attempts to exploit user data for profit. We see this with advanced phishing techniques as well as identity theft and financial fraud cases.

In this particular situation, it appears that hundreds of thousands of people have their data exposed for anyone to download and exploit.

Not only does this put all of these people at risk for identity theft and financial fraud, it also puts them at risk for targeted attacks pertaining to home loans. Cyber criminals could utilize the private information of these applications, including names, addresses, phone numbers, and credit scores, to open accounts in the victim’s name and possibly carry out financial transactions.

As noted in the beginning of the article, threat actors are already attempting to sell and barter the data on hacking forums.

Those who are affected by this data breach should be particularly vigilant against compromised accounts, hacking attempts, as well as identity theft and fraud.

You can check whether your email has been compromised by using the Have I Been Pwned website from cybersecurity researcher Troy Hunt.


Update: LendingTree admits it was breached

Cybersecurity researcher Catalin Cimpanu found that LendingTree has now officially acknowledged a data breach with the California Attorney General’s office on June 29, 2022.

A sample of the breach notification document that LendingTree is sending out to its customers can be found here.

We reached out for comment from LendingTree on the current situation. In the statement below, you can see that LendingTree is claiming that the admitted data breach (from June 29th) was a separate security breach unrelated to the data set we referenced above.

It’s important to note that at any given time, we may be investigating multiple security issues. The issue we commented on per your query on June 22nd is unrelated to the issue we disclosed on June 29th.

The original issue you referenced was related to 200k records that were offered for sale online. If you recall, it had already been reported to us previously and determined not to be LendingTree data after cross referencing with our consumer database.

This issue we disclosed was identified and mitigated by our Security team on June 3rd.  Once confirmed by all appropriate parties, we disclosed in compliance with all applicable laws/rules/regulations.

– LendingTree’s statement to RestorePrivacy via Arun Sankaran on July 14, 2022

We will continue monitoring the situation and update this article with any new information.

About Sven Taylor

Sven Taylor is the lead editor and founder of Restore Privacy, a digital privacy advocacy group. With a passion for digital privacy and accessible information, he created RestorePrivacy to provide you with honest, useful, and up-to-date information about online privacy, security, and related topics.

Reader Interactions

Comments

  1. BoBeX

    June 24, 2022

    Hi Sven,

    Great reporting and analysis!

    From the above, there doesn’t appear to be a mechanism for the customers to be informed to the risk they now face.
    How every unsatisfactory.

    BoBeX

    Reply
  2. RTD

    June 22, 2022

    Nothing is secure [anymore] and IT professionals, Informatics branches, working for these large corporations including government need to realize this. They bombard us and inconvenience us by forcing us to change our password every three to six months with ridiculous naming conventions. Worst of all, they don’t allow us to use password managers.

    Rather than changing their approach and mindset, these entities or governments continue repeating the same-old all in the name of “privacy” and “security” without taking [additional] measures to ensure their infrastructure is protected as best as possible.

    For the most part, these large corporations would rather pay (a settlement) and pass on the costs to their customers than change their “ways”. Sooner or later, every one of them will be hacked given a like-minded attitude.

    BTW, I have never heard of “lendingtree”.

    Reply
  3. Chucky D

    June 21, 2022

    Class action lawsuit time?

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browsers
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN (68% Off Coupon) or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

Restore Privacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

Restore Privacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP