Cash App notifies 8.2 million US customers about data breach

Cash App is notifying 8.2 million current and former US customers of a data breach after a former employee accessed their account information.

Block, Inc., the owner of Cash App, disclosed in a Form 8-K SEC filing that the breach occurred on December 10th, 2021, after a former employee downloaded internal Cash App reports while no longer employed at the company.

Block says that the reports included Cash App customers' full names and brokerage account numbers associated with investment activity on Cash App. For some customers, additional information was exposed in the reports, including portfolio values, holdings, and possibly trading activity for one trading day.

As first reported by TechCrunch, the data breach did not include more sensitive information, such as credentials, Social Security numbers, and payment information.

"The reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information," reads Block's Form 8-K filing.

"They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features (other than stock activity) and customers outside of the United States were not impacted."

In response to our requests for more details, a Cash App spokesperson shared the following statement with BleepingComputer.

"At Cash App we value customer trust and are committed to the security of customers’ information. Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm. We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information."

Block says that they are notifying the 8.2 million customers impacted by the breach to provide further information about the incident.

The company also states that they notified regulation authorities and law enforcement about the breach