Katapult.com

In September 2020 the lease to own platform Katapult experienced a significant security incident resulting in the exposure of user data. The breach affected approximately 2.2 million customers. The compromised information included personal identifiers and security credentials. Malicious actors managed to access the database containing user profiles and authentication details. Security analysis confirmed that while passwords were not stored in plain text they were available as salted PBKDF2 hashes which are resistant but not immune to cracking. The incident highlighted vulnerabilities in the platforms storage of customer records.