The ShinyHunters threat group has listed Colombian fintech company Addi, operated by Adelante Soluciones Financieras, as its latest alleged victim, claiming to have exfiltrated a large scale dataset containing sensitive financial and personal information.
According to the group, the dataset includes records tied to more than 16 million individuals and totals over 518 GB in compressed form. The actors claim the data includes personally identifiable information, credit card and transaction data, Know Your Customer (KYC) records, and background check data sourced from credit bureaus including TransUnion and Experian.
The company had not issued any public statement at time of publication.
Alleged dataset spans identity, financial, and credit intelligence records
ShinyHunters describes the dataset as containing a broad range of high risk data categories typically associated with financial onboarding and credit assessment processes. This reportedly includes identity verification documents, transaction histories, and credit related insights that may have been integrated from third party providers.
The inclusion of credit bureau data, if accurate, raises additional concerns around downstream data sharing and aggregation practices, particularly if third party integrations were involved in the alleged exposure.
Extortion claim suggests breakdown in negotiations
The threat group claims the data was released after the company failed to reach an agreement, stating that multiple opportunities were provided to resolve the situation. This follows a familiar pattern in ShinyHunters operations, where victims are allegedly given a window to negotiate before data is listed or published.
This tactic mirrors previous incidents covered by BreachNews, including the Carnival Corporation breach claim and the Udemy dataset release, where alleged data exposure followed failed negotiations.
Verification remains limited to threat actor claims
At this stage, there has been no independent verification of the dataset, and the full scope, authenticity, and origin of the data remain unclear. It is not known whether the records are newly obtained, aggregated from previous breaches, or partially recycled from other sources.
As with other recent ShinyHunters listings, the absence of technical details regarding initial access or exfiltration methods makes it difficult to assess how the data was allegedly obtained.
Organizations handling financial and identity data at this scale typically rely on complex integrations across internal systems and third party providers, which can expand the attack surface and introduce multiple potential points of exposure.
Until further confirmation is available, the claims should be treated as unverified. However, the nature of the alleged data, particularly financial and credit related records, places affected individuals at elevated risk of fraud, identity theft, and targeted social engineering attacks if the dataset proves legitimate.
