• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
RestorePrivacy

RestorePrivacy

Resources to stay safe and secure online

  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • ProtonVPN vs NordVPN
      • ExpressVPN vs Surfshark
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • Best VPN for Fire TV Stick
      • Best VPN for Amazon Prime
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • VPN Black Friday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • Chrome VPN
      • No Logs VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Linux
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • LastPass Review
    • Bitwarden Review
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • News
  • Info
    • Mission
    • Press
    • Contact
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • ProtonVPN vs NordVPN
      • ExpressVPN vs Surfshark
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • Best VPN for Fire TV Stick
      • Best VPN for Amazon Prime
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • VPN Black Friday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • Chrome VPN
      • No Logs VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Linux
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • LastPass Review
    • Bitwarden Review
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • News
  • Info
    • Mission
    • Press
    • Contact

Hacker Leaks Database Claiming to be from LendingTree

June 21, 2022 By Sven Taylor — 3 Comments
LendingTree Data Breach

A threat actor has released a large database on a popular hacking forum that allegedly came from LendingTree.com. We have analyzed the data and confirmed that it includes extensive private information from 200,643 loan applications from the United States, but LendingTree is denying a breach.

LendingTree is a publicly-traded company based in Charlotte, North Carolina that specializes in connecting consumers with lenders. Consumers can complete loan applications and surveys on LendingTree’s website and then assess different lending options, credit cards, and insurance.

From LendingTree’s website:

We help you get your best deal possible on your loans, period. By giving consumers multiple offers from several lenders in a matter of minutes, we make comparison shopping easy. And we all know-when lenders compete for your business, you win!

LendingTree.com

Earlier this month, two different forum users posted the database allegedly breached from LendingTree.com. In the most recent post, dated June 18, 2022, the user decided to post the “LendingTree DB for free”. This appears to be based on a disagreement with another user who was attempting to sell the same database on the forum.

Either way, this database is currently available for anyone to download and view if you have the URL for access.

LendingTree data breach leak 2022

We downloaded the file and analyzed the data.

200,643 mortgage leads from the US

We were able to access and analyze the database and can confirm it includes the following data for every submitted entry (customer):

  • Email address
  • Name (first and last)
  • Physical address
  • Phone number
  • IP address
  • Data and time of loan form submission
  • Source of lead (LendingTree.com)
  • Loan type that the applicant is seeking
  • Home description
  • Credit profile score
  • Property use
  • Military status
  • Price

The database contains 200,643 entries.

All of the entries are dated between October and November 2021 with the source being listed as LendingTree.com.

Here is a sample of just three entries from the database with PII redacted.

LendingTree Data Breach Screenshot

All of the entries that we attempted to verify using publicly available search tools match real-world people.

That is not to say that every entry is completely legitimate, however, as visitors to LendingTree.com could potentially enter fake information to check on loan rates, for example. However, all of the entries we analyzed in the database do appear to match with real people in the United States.

We reached out to LendingTree for comment on the situation and they provided us with this statement:

We previously conducted an investigation on this data set, and have determined that this data leak did not originate at LendingTree.

We maintain a comprehensive information security program and continually work to help protect the data of our customers.

– LendingTree statement to RestorePrivacy

While LendingTree itself is denying responsibility for the breach, it is directly listed as the source for the entries in this data set, as you can see in the sample above.

Things get even more complex when we dig into LendingTree’s Privacy Policy.

LendingTree shares user data with a large network of third parties

Looking at LendingTree’s Privacy Policy, we find that the business shares user data with a wide network of third parties:

  • LendingTree Affiliates
  • Network Partners
  • Financial Companies
  • Other Business Partners
  • LendingTree Service Providers
  • Other Situations

Each bullet from the list above includes a longer explanation about how user data is getting passed around. You can read about it here.

This section details how data is shared through a network of third parties whenever a visitor to LendingTree.com submits in inquiry on the site.

When you submit an inquiry or use another Service provided through the Website, you direct LendingTree to share information about you or provided by you with lenders and other third parties in our network to deliver the products and services you request (collectively, “Network Partners”).

So, if you use the LendingTree website, you “direct LendingTree to share information about you” with a network of other parties.

And how well are these other parties safeguarding your private data?

Who exactly is responsible for the current data breach that labels LendingTree.com as the source of information?

We don’t have any clear answers, unfortunately. With so many different parties sharing user data, finding the answer could be challenging.

LendingTree’s previous data breach in 2008

Should this information prove to be accurate, and we have no reason to doubt otherwise, this would not be the first time that LendingTree.com has suffered a data breach. Back in 2008, news broke that customer data was exposed to third parties. In this particular case, LendingTree blamed “insiders” for the breach.

Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree’s customer information by sharing confidential passwords with the lenders. When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with the investigation. We promptly made several system security changes. We also brought lawsuits against those involved.

– LendingTree’s 2008 data breach disclosure to customers

Risks of this (new) data breach

Cyber criminals are getting increasingly advanced in their attempts to exploit user data for profit. We see this with advanced phishing techniques as well as identity theft and financial fraud cases.

In this particular situation, it appears that hundreds of thousands of people have their data exposed for anyone to download and exploit.

Not only does this put all of these people at risk for identity theft and financial fraud, it also puts them at risk for targeted attacks pertaining to home loans. Cyber criminals could utilize the private information of these applications, including names, addresses, phone numbers, and credit scores, to open accounts in the victim’s name and possibly carry out financial transactions.

As noted in the beginning of the article, threat actors are already attempting to sell and barter the data on hacking forums.

Those who are affected by this data breach should be particularly vigilant against compromised accounts, hacking attempts, as well as identity theft and fraud.

You can check whether your email has been compromised by using the Have I Been Pwned website from cybersecurity researcher Troy Hunt.

About Sven Taylor

Sven Taylor is a digital privacy expert who has been writing about privacy and security online since 2016. With a passion for digital privacy and online freedom, he created RestorePrivacy to provide you with honest, useful, and up-to-date information about online privacy, security, and related topics.

Reader Interactions

Comments

  1. BoBeX

    June 24, 2022

    Hi Sven,

    Great reporting and analysis!

    From the above, there doesn’t appear to be a mechanism for the customers to be informed to the risk they now face.
    How every unsatisfactory.

    BoBeX

    Reply
  2. RTD

    June 22, 2022

    Nothing is secure [anymore] and IT professionals, Informatics branches, working for these large corporations including government need to realize this. They bombard us and inconvenience us by forcing us to change our password every three to six months with ridiculous naming conventions. Worst of all, they don’t allow us to use password managers.

    Rather than changing their approach and mindset, these entities or governments continue repeating the same-old all in the name of “privacy” and “security” without taking [additional] measures to ensure their infrastructure is protected as best as possible.

    For the most part, these large corporations would rather pay (a settlement) and pass on the costs to their customers than change their “ways”. Sooner or later, every one of them will be hacked given a like-minded attitude.

    BTW, I have never heard of “lendingtree”.

    Reply
  3. Chucky D

    June 21, 2022

    Class action lawsuit time?

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browsers
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Archives

  • June 2022
  • May 2022
  • March 2022
  • February 2022
  • January 2022
  • November 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • December 2020
  • June 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • July 2019
  • March 2019
  • August 2018
  • July 2018
  • June 2018
  • April 2018
  • March 2018
  • October 2017
  • January 2017

Categories

  • Advanced Privacy Guides
  • Featured
  • News and Reports

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

RestorePrivacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN (68% Off Coupon) or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Swisscows
  7. Password manager: NordPass or Bitwarden

Support this Project

RestorePrivacy was created to provide you with honest, useful, and up-to-date information about online privacy and security topics. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

RestorePrivacy is also on Twitter

We’re available for Press and media inquiries here.

COPYRIGHT © 2022 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP