Credit Sesame Data Breach Investigation

Recently, Credit Sesame reported to the Attorney General of Vermont that the sensitive personal identifiable information in its care may have been accessed. According to the breach notice, Credit Sesame recently identified suspicious online activity related to user accounts.¹ As a result, Credit Sesame launched an investigation to determine the nature of the incident.

Through its investigation, Credit Sesame confirmed that sensitive personal information in its systems may have been compromised by an unauthorized third party during the breach. As a result, Credit Sesame began a review of the data to determine what information had been impacted as well as identify the specific individuals affected. The exact type of personal information potentially exposed has not been made publicly available by Credit Sesame. However, according to state reporting guidelines, “personal information” can include the following types of information:

• Name
• Social Security number
• Driver’s license or other government issued ID card numbers (e.g., individual taxpayer ID number, passport number, military ID card number)
• Financial account number of credit or debit card number
• Unique biometric data (e.g., fingerprint, retina or iris image, or other unique biometric representation)
• Genetic information
• Health record or records of a wellness program or similar program of health promotion or disease prevention (e.g., healthcare professional’s medical diagnosis or treatment of the consumer, health insurance policy number)

On April 14, 2025, Credit Sesame began mailing data breach notification letters to impacted individuals. Based on the breach notice sent to Vermont residents, Credit Sesame is providing affected individuals with a list of the specific types of sensitive information impacted and complimentary credit monitoring services. A link to the form breach notification letters that Credit Sesame filed with the Attorney General of Vermont is below.