A Prop Firm Leaked Its Traders' Social Security Numbers — What the Topstep Breach Means

When traders think about risk in prop trading, they think about leverage, drawdown, and liquidation. What most do not consider is the risk sitting in the KYC form they filled out to get paid. Two separate cyberattacks on Topstep in late 2025 exposed trader names, Social Security numbers, and government identification data.

Class action lawsuits are now being filed. And the story raises a question that every funded trader with a KYC-verified account should be asking right now.

There were two distinct incidents, and understanding both matters.

The first was a DDoS attack on September 8, 2025. After an extensive internal review, Topstep discovered on December 3, 2025 that between September 8 and October 16, certain files containing personally identifiable information may have been subject to unauthorised access. Affected traders received letters in early January 2026 confirming their names and Social Security numbers may have been compromised.

The second was a credential-stuffing attack on December 14, 2025, discovered the following day. Topstep's initial public response attempted to attribute this incident to traders reusing passwords from other breached sites — a characterisation that attracted significant criticism from the trading community and contributed to the legal action now underway.

Topstep responded by blocking suspicious IP traffic, forcing password resets, mandating multi-factor authentication that had previously been optional, and offering free identity theft protection services to affected users. Class action lawsuits are now being actively filed.

We want to be direct about something that most coverage of this incident has avoided.

Topstep is not uniquely negligent. It is the firm that got caught. The broader issue is structural: every prop firm that requires KYC verification is holding a dataset that includes, at minimum, government-issued ID documents and in many cases Social Security numbers or tax identification numbers. That data exists on servers. Those servers are targets.

The prop trading industry has grown rapidly with relatively little scrutiny of its data security infrastructure. From what we have observed across the industry, most firms are not regulated financial institutions with mandatory security standards. They are private companies with varying levels of investment in their technical security posture. When they collect identity documents to comply with payment processing requirements, they create a liability that their traders rarely think to evaluate before submitting.

The question is not whether Topstep should have done better. The question every funded trader should ask before their next KYC submission is: what data does this firm hold on me, where is it stored, and what evidence do I have that it is adequately protected?

From the cases we have analysed, crypto prop traders face a more acute version of this risk than futures or forex prop traders for two reasons.

First, crypto prop firms operate internationally with limited regulatory oversight. There is no mandatory security standard equivalent to PCI-DSS for payment processors or the CFTC's cybersecurity expectations for registered futures firms. The bar for what constitutes adequate data protection is effectively set by each firm's own judgment.

Second, payout structures in crypto prop trading often require identity verification at the withdrawal stage rather than at signup. This means traders sometimes submit KYC documents after they have already been trading and have profits to collect — a moment of high motivation where scrutinising the firm's security practices is the last thing on their mind.

The challenge rules at Mubite do not require KYC at signup or during the challenge phase itself. Identity verification is only required at the payout stage, meaning sensitive identity data is collected from a significantly smaller group — only traders who have passed a challenge and requested a withdrawal — rather than from every registrant upfront. That narrower exposure window is a meaningful structural difference from firms that collect documents before a trader has placed a single trade.

If you have submitted KYC documents to any prop firm, these are the steps we recommend taking regardless of whether that firm has disclosed any security incident:

• Enroll in a credit monitoring service if you submitted your SSN to any prop firm. Free options include the credit bureaus' own monitoring tools, and many US-based firms are legally required to offer this following a breach.

• Enable multi-factor authentication on every account connected to any trading platform, payment processor, or email address used for trading activity. Credential-stuffing attacks succeed specifically because traders reuse passwords across platforms.

• Check whether the firms holding your data have published a security or privacy policy that describes how identity documents are stored, encrypted, and accessed. If that information is not published, ask directly before submitting documents.

• Monitor your accounts at any prop firm that required KYC for unusual activity, particularly around payout requests and account settings changes.

The risk management principles that protect a funded trading account apply equally to the personal data that funds the account. You would not trade without a stop loss. Do not hand over identity documents without understanding what protection sits behind them.