Credit Acceptance Corp. Data Breach Exposes Social Security Numbers

Finance data breach illustration
Breach Discovery: 4th June 2026Breach Notification: 30th June 2026

What Happened in the Credit Acceptance Data Breach?

Credit Acceptance Corp., a financial services company based in Southfield, Michigan, has disclosed a data breach that exposed sensitive customer information. The Credit Acceptance data breach involved unauthorized access to systems containing personal data. As a result, names and Social Security numbers tied to consumers were compromised.

According to the notification filed with the Massachusetts Office of Consumer Affairs and Business Regulation, Credit Acceptance discovered the breach on June 4, 2026. The company then notified regulators on June 30, 2026. Because the filing does not state exactly when unauthorized access first began, that detail has not been publicly disclosed.

Following the discovery, Credit Acceptance appears to have launched an internal review to determine the scope of the incident. This is a standard step after a suspected intrusion. However, the source does not provide additional forensic details, such as the attack method or whether a specific threat actor claimed responsibility.

In response to the incident, Credit Acceptance began the process of identifying affected individuals and preparing notification letters. This process typically follows a forensic investigation to confirm which data elements were actually accessed. As a result, the company was able to confirm that names and Social Security numbers were involved.

Who was affected?

The breach may affect consumers who have financial relationships with Credit Acceptance, including current and former customers. Because Credit Acceptance operates as an auto finance company, those affected likely include individuals who financed vehicle purchases through the company’s lending programs. The exact number of affected individuals has not been publicly disclosed.

In addition, the geographic scope of the breach has not been specified beyond the regulatory filing in Massachusetts. This means residents in other states could also be affected. For example, companies that file with one state’s regulator often notify residents nationwide, since data breaches rarely stay confined to a single region.

It also remains unclear whether the exposed data includes information belonging to minors or joint account holders. Given that auto loans often involve co-signers, the pool of affected individuals could extend beyond primary borrowers. Anyone who has financed a vehicle through Credit Acceptance should consider themselves potentially at risk until they receive official confirmation.

What Information Was Potentially Exposed?

The Credit Acceptance data breach resulted in the exposure of specific categories of personal information. Based on the details disclosed to regulators, the following data types were involved:

  • Full names
  • Social Security numbers

Because Social Security numbers are among the most sensitive pieces of personal data, their exposure creates serious risk. Criminals can use a Social Security number, often combined with a name, to open new credit accounts, file fraudulent tax returns, or apply for loans in someone else’s identity. This type of fraud can be difficult to detect until significant damage has already occurred.

Furthermore, identity thieves frequently combine stolen Social Security numbers with other publicly available information to bypass security questions on financial accounts. This means affected individuals could face risks well beyond simple credit card fraud. In addition, synthetic identity fraud, where criminals blend real and fake information to create new identities, has become an increasingly common outcome of these breaches.

What is the company doing?

In response to the breach, Credit Acceptance is offering affected individuals 24 months of complimentary identity monitoring services through Kroll. This service is designed to help detect suspicious activity tied to the exposed information. Affected individuals can activate this protection by visiting Kroll’s enrollment page and entering the membership number provided in their notification letter.

Additionally, Credit Acceptance has set up a dedicated phone line so affected individuals can ask questions about the incident. Representatives are available Monday through Friday, from 8:00 a.m. to 5:30 p.m. Central Time, excluding major U.S. holidays. This step gives affected consumers a direct way to seek clarification about their specific exposure.

Beyond these immediate measures, it is likely that Credit Acceptance has also reviewed and strengthened its internal security protocols. Companies that experience a breach of this nature typically conduct a broader security assessment afterward. However, the source does not detail any specific technical remediation steps taken by Credit Acceptance.

What Should Affected Individuals Do?

Monitor Your Credit Reports Closely

Affected individuals should request and review their credit reports from all three major credit bureaus: Equifax, Experian, and TransUnion. Consumers are entitled to a free credit report from each bureau annually through AnnualCreditReport.com. Checking these reports regularly can help you spot unfamiliar accounts or inquiries early.

Because Social Security numbers were exposed, ongoing vigilance is especially important. For example, watch for new credit inquiries you did not initiate or accounts you do not recognize. If you spot anything suspicious, report it to the credit bureau immediately and consider filing a police report.

Consider a Credit Freeze or Fraud Alert

Given that Social Security numbers were involved in this breach, placing a credit freeze with each of the three credit bureaus is a strong protective step. A credit freeze restricts access to your credit file, which makes it much harder for identity thieves to open new accounts in your name. This service is free and can be lifted temporarily whenever you need to apply for credit yourself.

Alternatively, you could place a fraud alert on your credit file, which requires creditors to take extra steps to verify your identity before extending credit. This option is less restrictive than a freeze but still adds a layer of protection. Either way, acting quickly reduces the window of opportunity for criminals to misuse your information.

Enroll in the Free Identity Monitoring Service

Because Credit Acceptance is offering 24 months of complimentary identity monitoring through Kroll, affected individuals should take advantage of this benefit promptly. Enrolling only requires visiting Kroll’s enrollment page and entering the membership number from your notification letter. This service can alert you to signs of identity misuse that you might otherwise miss.

In addition to enrolling, keep your notification letter in a safe place, since it contains your unique membership number. If you did not receive a letter but believe you may be affected, contact Credit Acceptance’s dedicated phone line for clarification. This ensures you don’t miss out on protection you may be entitled to receive.

Stay Alert for Phishing Attempts

After a data breach involving names and Social Security numbers, scammers often follow up with phishing emails, texts, or phone calls designed to look official. These messages may reference the breach itself to appear more convincing. As a result, you should never click links or share personal information in response to unsolicited messages.

Instead, verify any communication by contacting Credit Acceptance directly through its official phone number or website. Legitimate companies will not ask you to confirm sensitive details like your Social Security number over email. If you receive a suspicious message, report it and delete it rather than responding.

Consult a Data Breach Attorney

If you received a notification letter from Credit Acceptance, you may want to speak with a data breach attorney about your legal options. An attorney can help you understand whether you qualify for compensation and what steps to take next. Many attorneys offer free consultations for cases like this.

Because laws around data breach liability vary by state, professional legal guidance can clarify your specific rights. This is particularly useful if you experience actual financial harm as a result of the exposure. Taking this step early can help preserve your options if you later decide to pursue a claim.



More Information

Credit Acceptance Corp.

Massachusetts Office of Consumer Affairs and Business Regulation

Kroll’s enrollment page

Related Data Breaches