Roughly 8 million customers of the mobile payment app Cash App may have been impacted by a data breach following the collection of reports containing personal information of US users by a former employee of the company.
On Monday, Block, the financial services firm founded by Twitter founder Jack Dorsey and which owns Cash App, stated that it discovered the former employee obtained the information in December.
Even though the ex-employee gained access to the information while working for the organization, the report states that the material was downloaded after the person left.
Although the data transfer did not include usernames, passwords, Social Security numbers, or bank account information, it did contain full names and brokerage account numbers, which are used to track a user’s stock activity on Cash App Trading. Some information also breached “included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day.”
According to the filing, the only users who may be impacted are those that use Cash App Investing in the United States, which totals around 8.2 million people. Block said it is contacting all current and former customers of the feature “to provide them with information about this incident and sharing resources with them to answer their questions.”
Block added it has also notified law enforcement of the breach.
“The Company takes the security of information belonging to its customers very seriously and continues to review and strengthen administrative and technical safeguards to protect the information of its customers.
“Although the Company has not yet completed its investigation of the incident, based on its preliminary assessment and on the information currently known, the Company does not currently believe the incident will have a material impact on its business, operations, or financial results,” the filing stated
As per Adam Darrah, head of intelligence services at cyber security company ZeroFox, the breach is unlikely to harm customers directly, but may do so if the data is eventually stolen.
“This information by itself is not valuable. It has to be paired with other stuff,” Darrah said. “Bad guys can then be more efficient in their illegal shenanigans, meaning breaking into an account and taking stuff out of an account.
“They’ll use their magic machines that they have to try to find specific accounts that they can break into. That’s most likely endgame here,” he added.
Darrah recommended all Cash App users to reset their passwords and use two-factor authentication to safeguard against potential security breaches.