Millions Of Users At Risk Of Cyber Attack: Buy Now Pay Later Apps Found Sharing Personal Data, Report Reveals

A new study by data‑privacy firm Incogni highlights the extensive amount of personal information collected and shared by popular buy‑now‑pay‑later (BNPL) apps. Researchers analysed eight top‑downloaded apps on the Google Play Store, including Afterpay, Klarna, Affirm, Sezzle, Zip, Uplift and Four. They found that, on average, these apps collect 14 distinct types of user data and share around five types with external partners.

Among the apps, Afterpay collects the most categories—20—and shares 17 of them with third parties, including credit scores, location, photos and videos, phone numbers, financial information, personal information, and much more. Klarna and Uplift each interact with 19 types of data, while apps like Sezzle and Zip notably gather users’ web‑browsing histories. Additionally, Affirm, Afterpay and Zip also collect precise location data, potentially implicating up to 53 million devices.

The data being collected ranges from basic identifiers like names, addresses and phone numbers, to more sensitive categories such as in‑app messages, browser history and credit ratings. Klarna, for instance, records in‑app messaging while Afterpay shares nine sensitive data categories directly for advertising purposes.

Incogni cautions that users often mistake BNPL apps for simple credit services but may unknowingly grant extensive permissions. This is compounded by a rise in data breaches: over 1,700 incidents were reported in the first half of 2025, up 5 percent from the same period in 2024.

Experts stress that while BNPL apps serve a convenient credit function, they also carry hidden privacy risks. Users should be aware of data‑sharing practices, and there are growing calls for stronger consumer monitoring and regulatory oversight to ensure transparency and protections in this evolving financial technology space.