A third-party vendor database breach hit SoFi Securities (Hong Kong) Limited on April 30, 2026. The company doesn’t know what was taken.
SoFi, the U.S.-based fintech offering banking, investing, and loans, notified Hong Kong securities customers that hackers accessed a vendor database holding their personal information. The company still can’t say which customers were affected, what categories of data were exposed, or whether extortion was involved. Its spokesperson declined to name the vendor.
The disclosure to customers was notably thin: “We do not yet have complete information about the scope and impact of the incident, or whether (and, if so, which categories of) your personal data was involved.” SoFi engaged a third-party cybersecurity firm and added monitoring to affected accounts. Customers got the standard list: update passwords, enable two-factor authentication, watch for phishing.
Here’s the context: this is SoFi’s second breach. A prior incident on its U.S. operations exposed personal data on Washington State residents, including names, dates of birth, and addresses. Two breaches across two continents points to oversight gaps that run deeper than geography.
Under SEC cybersecurity disclosure rules adopted in July 2023, material cyber incidents require an 8-K filing within four business days of determining materiality. SoFi has filed no such 8-K for the Hong Kong breach. Either the company assessed it as non-material, or it’s extending the investigation window before making that call. Affected customers can reach SoFi at +852 26938888.
Marcus Webb