The Cash App data breach was caused by a former employee who accessed customer financial reports as an act of revenge against the company after their employment was terminated.

According to the April 2, 2022 filing with the Securities Exchange Commission by Block (CashApp’s parent company), the employee required access to the financial reports as part of their daily duties. After termination, on December 10, 2022,  the employee downloaded these reports without permission, stealing the following customer details.

  • Full names.
  • Brokerage Account numbers (unique identification numbers associated with a customer’s stock activity on Cash App Investing).
  • Brokerage portfolio values
  • Brokerage portfolio holdings 
  • Stock trading activity for one day of trading.

Cash App notified approximately 8.2 million current and former customers likely to have been impacted by the breach. Unfortunately, the delay of this breach notification - which was sent four months after the incident - prolonged the risk of follow-up cyberattacks targeting impacted customers. The negligence of this unnecessary delay, combined with a deficiency of basic security controls that could have prevented the breach, resulted in a class action filing against Cash App Investing and its parent company, Block.

Defendant Block offered no explanation for the four-month delay between the initial discovery of the Breach and the belated notification to affected customers, which resulted in Plaintiffs and Class members suffering harm they otherwise could have avoided had a timely disclosure been made.

- Page 8 of Class action filing against plaintiff BLOCK, INC., and CASH APP INVESTING, LLC,

Cash App has had a tumultuous security history, primarily in the area of customer account compromise.

Almost all online reviews for Cash App include complaints about account hacking and financial fraud, with some customers posting tweets about their account compromise experiences. 

Twitter post about Cash App Hack
Twitter post from Cash App account hack victim.

But the prevalence of account compromise attempts isn’t necessarily indicative of security vulnerabilities on the Cash App platform. Since the pandemic began, cybercriminals have been taking advantage of increasing concerns over the security of online funds by, ironically, fooling finance app users into falling for fraudulent account compromise messages leading to credential theft.

Bar chart of rising scammer trends across payment apps
Source: Apptopia

Cash App’s security weakness lies in its poor response efforts during customer account hacks, a characteristic that’s highlighted in the company’s delayed breach notification following this latest insider threat breach.

Sarah Jensen, the person who tweeted about their Cash App account being depleted overnight (see above), said that it was almost impossible to connect to a human Cash App customer service rep for support following the breach. Customers are given the option of contacting support via the app, but these requests are usually handled by bots rather than humans.

“It's almost like an abusive relationship where you're trying to get a hold of somebody, and they’re completely ghosting you.

- Excerpt of a conversation between Yahoo Finance and Sarah Jensen, a Cash App account hack victim.
Text reading - Cash App Security Report

See how your organization's security posture compares to Cash App's.

View Cash App's security report.

How to Prevent Falling Victim to a similar Data Breach

The Cash App data breach was possible because a lack of essential security controls. By implementing these controls into your cybersecurity program, your business could avoid a similar fate.

1. Block Account Access for former and soon-to-be former Employees

The Cash App breach could have been prevented if the terminated employee had immediately lost access to their accounts. IT teams should, ideally, be poised to block account access through account management systems immediately following a termination notice - especially if an employee is likely to resort to retributive actions.

The threat of malicious employees isn’t unique to Cash App. According to a survey by the Wall Street Journal, almost 70% of companies are concerned about the risk of insider threats.

2. Secure all Accounts with MFA

To reduce login friction, and offer a better user experience, Cash App accounts don’t have passwords. Instead, whenever a user attempts to log in, they confirm their identity by submitting a verification code sent to their email or phone number. The problem with this login mechanism is that it could be exploited by compromising a victim’s email address. Given that most email addresses have already been compromised in major data breaches, and password recycling across multiple solutions is a bad habit most people have, this Cash App login pathway isn’t difficult to intercept.

Many Cash App accounts can be found on dark web marketplaces, with listings including the associated email and password of the compromised Cash App account. 

To prevent data breaches from occurring through exploited login pathways, all user accounts must be protected with MFA. If implementing an MFA protocol, be sure to account for these common MFA bypass methods.

3. Implement a Data Leak Detection Solution

A data leak is an unknown exposure of sensitive information, occurring through software misconfigurations or data dumps on the dark web - like the Cash App listings on dark web marketplaces. 

Dark web data leaks are the most common and also the most difficult category of data leaks to manage. Following a data breach, cybercriminals almost immediately list their bounty of stolen account details for sale on dark web marketplaces. Though these events are critical breaches of security, they’re not the most dangerous type of data leak because a payment gateway prevents unmitigated access to listings.

The more serious type of data leak is when ransomware attackers freely publish stolen data on dark web blogs to punish victims that refuse to pay a ransom. This is what happened when Medibank refused to yield to the extortion tactics of its attackers.

With a ransomware blog data leak detection solution like UpGuard, your organization is instantly notified when sensitive credentials have been detected on ransomware blogs. This rapid awareness allows security teams to secure compromised credentials before they’re targeted in follow-up attacks.

UpGuard's Ransomware Leak detection feature.
UpGuard's Ransomware Leak detection feature.

Click here to request a free 7-day trial of UpGuard >

Free

UpGuard logo in white
UpGuard free resources available for download

Ready to see
UpGuard in action?