A threat actor has released a large database on a popular hacking forum that allegedly came from LendingTree.com. We have analyzed the data and confirmed that it includes extensive private information from 200,643 loan applications from the United States, but LendingTree is denying a breach.
Update: Cybersecurity researcher Catalin Cimpanu discovered that LendingTree has formally acknowledged a data breach with the California Attorney General’s office on June 29th (more information has been added to the article below).
LendingTree is a publicly-traded company based in Charlotte, North Carolina that specializes in connecting consumers with lenders. Consumers can complete loan applications and surveys on LendingTree’s website and then assess different lending options, credit cards, and insurance.
From LendingTree’s website:
We help you get your best deal possible on your loans, period. By giving consumers multiple offers from several lenders in a matter of minutes, we make comparison shopping easy. And we all know-when lenders compete for your business, you win!
LendingTree.com
Earlier this month, two different forum users posted the database allegedly breached from LendingTree.com. In the most recent post, dated June 18, 2022, the user decided to post the “LendingTree DB for free”. This appears to be based on a disagreement with another user who was attempting to sell the same database on the forum.
Either way, this database is currently available for anyone to download and view if you have the URL for access.
We downloaded the file and analyzed the data.
200,643 mortgage leads from the US
We were able to access and analyze the database and can confirm it includes the following data for every submitted entry (customer):
- Email address
- Name (first and last)
- Physical address
- Phone number
- IP address
- Data and time of loan form submission
- Source of lead (LendingTree.com)
- Loan type that the applicant is seeking
- Home description
- Credit profile score
- Property use
- Military status
- Price
The database contains 200,643 entries.
The entries are dated between October and November 2021 with the source being listed as LendingTree.com.
Here is a sample of just three entries from the database with PII redacted.
All of the entries that we attempted to verify using publicly available search tools match real-world people.
LendingTree denies the data breach
We reached out to LendingTree for comment on the situation.
Arun Sankaran, LendingTree’s CISO, provided us with this statement:
We were made aware of this dataset earlier this year from another site and at that time compared it to our consumer database and were unable to attribute it to LendingTree. What you are referring to in the dataset as “LendingTree.com” is a tag for data source that is intended to differentiate data from multiple sources that is generally added by the consumer of data not the furnisher.
– LendingTree statement to RestorePrivacy from Arun Sankaran on June 22, 2022
If this data had originated from LendingTree and leaked by a “down-stream source” as you suggested, we would have worked to identify the partner and worked with their Security team to investigate and address the issue and notify appropriate parties.
In addition, we have a 3rd Party Risk program that evaluates the security posture and practices of our partners, and we work with these organizations to address any identified risks.
While LendingTree itself is denying responsibility for the breach, LendingTree is directly listed as the source for every entry in this data set, as you can see in the sample above.
Things get even more complex when we dig into LendingTree’s Privacy Policy.
LendingTree shares user data with a large network of third parties
Looking at LendingTree’s Privacy Policy, we find that the business shares user data with a wide network of third parties:
- LendingTree Affiliates
- Network Partners
- Financial Companies
- Other Business Partners
- LendingTree Service Providers
- Other Situations
Each bullet from the list above includes a longer explanation about how user data is getting passed around. You can read about it here.
This section details how data is shared through a network of third parties whenever a visitor to LendingTree.com submits in inquiry on the site.
When you submit an inquiry or use another Service provided through the Website, you direct LendingTree to share information about you or provided by you with lenders and other third parties in our network to deliver the products and services you request (collectively, “Network Partners”).
So, if you use the LendingTree website, you “direct LendingTree to share information about you” with a network of other parties.
And how well are these other parties safeguarding your private data?
Who exactly is responsible for the current data breach that labels LendingTree.com as the source of information?
We don’t have any clear answers, unfortunately. With so many different parties sharing user data, finding the answer could be challenging.
LendingTree’s previous data breach in 2008
Should this information prove to be accurate, and we have no reason to doubt otherwise, this would not be the first time that LendingTree.com has suffered a data breach. Back in 2008, news broke that customer data was exposed to third parties. In this particular case, LendingTree blamed “insiders” for the breach.
Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree’s customer information by sharing confidential passwords with the lenders. When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with the investigation. We promptly made several system security changes. We also brought lawsuits against those involved.
– LendingTree’s 2008 data breach disclosure to customers
Risks of this (new) data breach
Cyber criminals are getting increasingly advanced in their attempts to exploit user data for profit. We see this with advanced phishing techniques as well as identity theft and financial fraud cases.
In this particular situation, it appears that hundreds of thousands of people have their data exposed for anyone to download and exploit.
Not only does this put all of these people at risk for identity theft and financial fraud, it also puts them at risk for targeted attacks pertaining to home loans. Cyber criminals could utilize the private information of these applications, including names, addresses, phone numbers, and credit scores, to open accounts in the victim’s name and possibly carry out financial transactions.
As noted in the beginning of the article, threat actors are already attempting to sell and barter the data on hacking forums.
Those who are affected by this data breach should be particularly vigilant against compromised accounts, hacking attempts, as well as identity theft and fraud.
You can check whether your email has been compromised by using the Have I Been Pwned website from cybersecurity researcher Troy Hunt.
Update: LendingTree admits it was breached
Cybersecurity researcher Catalin Cimpanu found that LendingTree has now officially acknowledged a data breach with the California Attorney General’s office on June 29, 2022.
A sample of the breach notification document that LendingTree is sending out to its customers can be found here.
We reached out for comment from LendingTree on the current situation. In the statement below, you can see that LendingTree is claiming that the admitted data breach (from June 29th) was a separate security breach unrelated to the data set we referenced above.
It’s important to note that at any given time, we may be investigating multiple security issues. The issue we commented on per your query on June 22nd is unrelated to the issue we disclosed on June 29th.
– LendingTree’s statement to RestorePrivacy via Arun Sankaran on July 14, 2022
The original issue you referenced was related to 200k records that were offered for sale online. If you recall, it had already been reported to us previously and determined not to be LendingTree data after cross referencing with our consumer database.
This issue we disclosed was identified and mitigated by our Security team on June 3rd. Once confirmed by all appropriate parties, we disclosed in compliance with all applicable laws/rules/regulations.
We will continue monitoring the situation and update this article with any new information.
Hi Sven,
Great reporting and analysis!
From the above, there doesn’t appear to be a mechanism for the customers to be informed to the risk they now face.
How every unsatisfactory.
BoBeX
Nothing is secure [anymore] and IT professionals, Informatics branches, working for these large corporations including government need to realize this. They bombard us and inconvenience us by forcing us to change our password every three to six months with ridiculous naming conventions. Worst of all, they don’t allow us to use password managers.
Rather than changing their approach and mindset, these entities or governments continue repeating the same-old all in the name of “privacy” and “security” without taking [additional] measures to ensure their infrastructure is protected as best as possible.
For the most part, these large corporations would rather pay (a settlement) and pass on the costs to their customers than change their “ways”. Sooner or later, every one of them will be hacked given a like-minded attitude.
BTW, I have never heard of “lendingtree”.
Class action lawsuit time?
Count me in. I have proof I’m included. I have been getting huge ammounts of jumpmail on an address I only ever used with them. (myemail+lendingtree@gmail.com) Either Lending Tree is sending the spam themselves, or they have been owned yet again.