According to TechCrunch, a data breach at credit check and identity verification company 700Credit has affected at least 5.6 million people. The Michigan-based firm, which serves auto dealerships nationwide, said an unidentified bad actor stole names, addresses, dates of birth, and Social Security numbers. Michigan’s attorney general stated the hacker stole data collected from dealers between May and October 2025, with the breach itself occurring in October. 700Credit is now sending letters by mail to impacted individuals, offering credit monitoring services. Attorney General Dana Nessel urged recipients not to ignore these letters, emphasizing the need for credit freezes or monitoring to prevent fraud.
Why This One Hurts
Look, data breaches are sadly routine now. But this one is particularly nasty because of the specific data and the source. We’re talking about the full identity theft starter kit—Social Security numbers and DOBs—coming from a company whose entire job is to verify people for major purchases. These aren’t leaked email addresses from a social media site. This is the core data used to open new lines of credit, take out loans, or worse. And it was stolen from a service used by auto dealerships, which means the victims were likely in the process of buying a car. So you’ve got people who are already stressed about a big financial decision now facing potential identity theft. It’s a brutal one-two punch.
The Slow Rollout Problem
Here’s another frustrating angle: the timeline. The data was siphoned off over a six-month period from May to October, and the breach happened in October. But public notifications are only going out now, in December. That’s a significant gap. What was that bad actor doing with all that data for the last two months? Probably selling it on dark web forums or using it already. The company’s official notice page and the AG’s press release tell you what to do, but the delay itself is a problem. It highlights a recurring issue in these incidents: the lag between discovery, internal investigation, and public disclosure often works in the hacker’s favor, not the victim’s.
What You Should Do Now
If you bought or tried to buy a car in the last year, you need to pay attention. AG Nessel’s advice is correct: don’t ignore a letter from 700Credit. But honestly, don’t wait for the letter either. Assume you’re affected if you’ve had a credit check run at a dealership. Your first move should be a credit freeze at all three major bureaus (Equifax, Experian, TransUnion). It’s free and it’s the most effective step. Monitoring is good, but it’s reactive—it tells you after something bad happens. A freeze is proactive; it stops new accounts from being opened in your name at all. You can also check your state’s consumer protection site, like this one from Wisconsin’s DATCP, for general guidance. Basically, take this seriously. This isn’t a “change your password” event.
The Broader Trend of Supply-Chain Hacks
This breach isn’t an isolated event. It’s part of a dangerous trend: attackers targeting the supply chain of critical services. Why hack millions of individuals when you can hack one company that has data on all of them? 700Credit is a behind-the-scenes operator, a B2B company most people have never heard of, yet it holds the keys to the kingdom for a huge swath of consumers. We’ve seen this with payment processors, cloud providers, and now credit verification services. The security of your data is only as strong as the weakest link in a long chain of companies that handle it. And in our interconnected economy, that chain is getting longer every day. So what’s the solution? Stricter regulations on data handlers? Fiercer penalties? It’s a tough problem, but breaches like this show we’re not winning the fight.
