SoFi Technologies Hit by Social Engineering Breach, Exposing Sensitive Data of Nearly 38,000 Washington Residents
SoFi Technologies, a San Francisco-based financial technology company, disclosed a data breach stemming from a social engineering attack that compromised the personal information of approximately 38,049 Washington state residents. The unauthorized access occurred between December 29, 2025, and January 3, 2026, with SoFi detecting the incident on or around January 2, 2026.
Upon discovery, SoFi activated its incident response protocols, engaged cybersecurity experts, and notified law enforcement. The company confirmed that no further unauthorized activity has been observed since January 3, 2026. While financial data such as account numbers, passwords, and payment card details remained unaffected, the exposed information included names, full dates of birth, addresses, email addresses, phone numbers, and employment and education details.
SoFi has stated that affected individuals may be entitled to legal protections, including free credit monitoring, fraud alerts, and potential compensation under state and federal laws. The breach is currently under investigation by class action law firm Shamis & Gentile P.A., which is evaluating claims for those impacted.
Source: https://www.claimdepot.com/investigations/sofi-data-breach-2026
Sofi Technologies cybersecurity rating report: https://www.rankiteo.com/company/sofi-technologies
"id": "SOF1770198024",
"linkid": "sofi-technologies",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '38,049 Washington state '
'residents',
'industry': 'FinTech',
'location': 'San Francisco, California, USA',
'name': 'SoFi Technologies',
'type': 'Financial Technology Company'}],
'attack_vector': 'Social Engineering',
'customer_advisories': 'Affected individuals may be entitled to free credit '
'monitoring, fraud alerts, and potential compensation '
'under state and federal laws.',
'data_breach': {'number_of_records_exposed': '38,049',
'personally_identifiable_information': 'Names, full dates of '
'birth, addresses, '
'email addresses, '
'phone numbers, '
'employment and '
'education details',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personal Information'},
'date_detected': '2026-01-02',
'date_resolved': '2026-01-03',
'description': 'SoFi Technologies disclosed a data breach stemming from a '
'social engineering attack that compromised the personal '
'information of approximately 38,049 Washington state '
'residents. The unauthorized access occurred between December '
'29, 2025, and January 3, 2026, with no financial data such as '
'account numbers, passwords, or payment card details affected. '
'Exposed information included names, full dates of birth, '
'addresses, email addresses, phone numbers, and employment and '
'education details.',
'impact': {'data_compromised': 'Names, full dates of birth, addresses, email '
'addresses, phone numbers, employment and '
'education details',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential compensation under state and '
'federal laws',
'payment_information_risk': 'None'},
'investigation_status': 'Ongoing',
'references': [{'source': 'SoFi Technologies Disclosure'}],
'regulatory_compliance': {'legal_actions': 'Class action investigation by '
'Shamis & Gentile P.A.'},
'response': {'communication_strategy': 'Public disclosure, customer '
'advisories',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'third_party_assistance': 'Cybersecurity experts'},
'title': 'SoFi Technologies Social Engineering Breach',
'type': 'Data Breach'}