Brinztech Alert: Database of LenDenClub (Indian P2P Lender) is on Sale (11 Million Records)

Dark Web News Analysis

A threat actor on a known hacker forum is advertising the sale of a massive database belonging to LenDenClub (lendenclub.com), one of India’s largest Peer-to-Peer (P2P) lending platforms. The dataset reportedly contains 11 million customer records dating from 2024.

Brinztech Analysis:

• The Target: LenDenClub is a major fintech player connecting borrowers and investors. A breach here exposes not just borrowers with credit needs, but investors with deployable capital.
• The Data: The leaked CSV files are described as comprehensive “Fullz,” containing:
  • Credentials: User IDs and Passwords (posing an immediate account takeover risk).
  • KYC Documents: Aadhaar Numbers and PAN (Permanent Account Number).
  • PII: Full Names, Mobile Numbers, Email Addresses, Dates of Birth, Marital Status, and Occupation.
• Context: This listing appears during a critical regulatory period. The Reserve Bank of India (RBI) has been tightening P2P lending norms in late 2024/2025. A breach of this magnitude involving unmasked Aadhaar/PAN data is a catastrophic compliance failure under the new Digital Personal Data Protection (DPDP) Act.

Key Cybersecurity Insights

This alleged data breach presents a critical threat to the Indian fintech ecosystem:

• High Utility for Financial Fraud: The combination of PAN, Aadhaar, and Mobile Numbers is the “holy grail” for financial fraud in India. Attackers can use this data to bypass Know Your Customer (KYC) checks, open fraudulent bank accounts, or apply for loans across other lending apps.
• Compromised Credentials: The inclusion of passwords is the most alarming technical detail. If these are not salted/hashed robustly, attackers can immediately hijack accounts to divert investments or manipulate loan disbursements. Even if hashed, users often reuse passwords, putting their email and banking accounts at risk.
• Regulatory & Legal Fallout: Under the DPDP Act, LenDenClub faces potential penalties of up to ₹250 crore for failing to secure user data. The exposure of such sensitive financial identifiers will likely trigger an immediate investigation by CERT-In.
• Targeted Social Engineering: With knowledge of a user’s “Occupation” and “Marital Status,” attackers can craft highly personalized phishing scripts (e.g., offering loan restructuring or investment “recovery” services).

Mitigation Strategies

In response to this claim, LenDenClub users and the platform must take immediate action:

• Mandatory Password Reset: LenDenClub must force a global password reset for all 11 million affected accounts. Users should change their passwords immediately, especially if they reuse them on other financial sites.
• Proactive Identity Monitoring: Users should check their CIBIL (Credit Score) reports for unauthorized loan applications. Lock biometric details in the mAadhaar app to prevent misuse of the Aadhaar number.
• Enhanced Fraud Detection: The platform must implement stricter fraud checks. Any attempt to change a registered bank account or mobile number should require video KYC or biometric re-verification.
• Legal Notification: LenDenClub must comply with the DPDP Act by notifying the Data Protection Board of India and affected users without delay to mitigate legal liability.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com