SoFi discovered unauthorized access to a database used by its Hong Kong securities unit on April 30, 2026, after detecting activity that indicated hackers had reached that database via one of the company's vendors.
How the intrusion was detected and what was accessed
SoFi Hong Kong told customers that it identified the incident on April 30, 2026, when it detected "unauthorized access to a database of SoFi Securities (Hong Kong) Limited via one of its vendors." The company attributes the point of entry to a third-party vendor rather than to its own internal systems; beyond that, SoFi says its investigation is ongoing and it has not yet identified which specific data elements, if any, were exposed.
Investigation steps and public statements
After discovery, SoFi says it engaged a third-party cybersecurity firm to respond to the incident and is still actively reviewing the situation. In communications shared with BleepingComputer and sent directly to customers, the company acknowledged uncertainty about the scope and impact: "We do not yet have complete information about the scope and impact of the incident, or whether (and, if so, which categories of) your personal data was involved," the email states.
A SoFi spokesperson confirmed the breach in a statement to BleepingComputer but declined to answer follow-up questions about how many customers were affected, whether the company faced extortion, or the identity of the third-party vendor implicated in the intrusion.
Customer guidance, account safeguards, and support contacts
SoFi's communications to customers contain specific operational guidance. The company warned recipients to remain vigilant for phishing attempts, suspicious communications, and unusual account activity; it advised customers to update passwords, enable two-factor authentication where possible, monitor financial accounts for suspicious activity, and avoid opening links or attachments in unsolicited emails or messages. SoFi also said it has added additional safeguards and monitoring to affected accounts and may request additional verification information from customers who contact support or make account changes.
For customers seeking further information, SoFi provided a Hong Kong support line, +852 26938888, and an email address, hello@sofi.hk.
What this means for technologists and end users
- Technologists and security teams: SoFi's public account emphasizes the role of third-party vendors as a vector; the company engaged an outside cybersecurity firm and implemented extra monitoring on accounts, underscoring that vendor-managed databases can require rapid incident response and investigative support from external specialists.
- End users and the general public: SoFi's advice to change passwords, enable two-factor authentication, monitor accounts, and be wary of unsolicited links reflects the immediate, actionable steps customers were asked to take while the company continues to determine whether personal data was exposed.
Open questions and the immediate next steps
Several concrete facts remain unresolved in SoFi's disclosures: the identity of the third-party vendor used to host the compromised database, the total number of customers potentially affected, whether any particular categories of personal data were accessed, and whether the company faced extortion or other follow-on demands. SoFi has said the investigation is ongoing and that it is "actively reviewing the situation" while applying additional safeguards and monitoring to affected accounts. Customers are left with the operational guidance and the support contacts the company provided as the official avenues for updates.
Read the original BleepingComputer report: https://www.bleepingcomputer.com/news/security/sofi-confirms-third-party-data-breach-at-hong-kong-subsidiary/
