SoFi Hong Kong Confirms Third-Party Vendor Data Breach

SoFi Securities (Hong Kong) Limited is notifying customers of a data breach that exposed an unknown volume of personal information through a third-party vendor database. The subsidiary of U.S.-based fintech company SoFi disclosed the incident in customer emails obtained by BleepingComputer, confirming that unauthorized access to the vendor's database was detected on April 30, 2026. SoFi engaged an external cybersecurity firm to lead the response, though investigators have not yet determined which categories of customer data were compromised.

The breach highlights the ongoing risk of third-party supply chain attacks, where threat actors target service providers to reach the larger organization's customer base. A SoFi spokesperson confirmed the incident to BleepingComputer but declined to specify the number of affected customers, whether a ransom demand was received, or the identity of the compromised vendor. Customers concerned about exposure can use a free email breach checker to see if their credentials have surfaced in known leaks tied to similar incidents.

In its notification, SoFi urged customers to remain alert for phishing attempts, suspicious communications, and unusual account activity. The company recommended updating passwords, enabling two-factor authentication, monitoring financial accounts, and avoiding unsolicited links or attachments. SoFi has deployed additional safeguards and account monitoring, and may require extra identity verification for customers contacting support or making account changes. Affected users seeking guidance can run a quick password checker to evaluate the strength of their existing credentials, and conduct a broader privacy checkup to identify other exposed attack surfaces. Hong Kong-based customers can reach SoFi's local support team at +852 26938888 or hello@sofi.hk.