Over 8 million Cash App users possibly affected by data breach from a former employee

Over 8 million users of the mobile payment app Cash App could be affected by a data breach after a former employee of the company downloaded reports containing the personal information of U.S. users.

On Monday, Block, the financial service company that owns Cash App and was created by Twitter founder Jack Dorsey, announced it learned the former employee downloaded the information in December, according to a report filed with the U.S. Securities and Exchange Commission.

Although the ex-employee had access to the information during employment, the report says the information was downloaded after the employee was no longer with the company.

The data downloaded didn't include usernames, passwords, Social Security numbers or bank account information, but it did include full names and brokerage account numbers, which are used to identify a user's stock activity on Cash App Investing. Some information also breached "included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day."

The filing says the only potentially affected users include those in the U.S. who use Cash App Investing, which is around 8.2 million users. Block said it is contacting all current and former customers of the feature "to provide them with information about this incident and sharing resources with them to answer their questions."

Block added it has also notified law enforcement of the breach.

"The Company takes the security of information belonging to its customers very seriously and continues to review and strengthen administrative and technical safeguards to protect the information of its customers.

"Although the Company has not yet completed its investigation of the incident, based on its preliminary assessment and on the information currently known, the Company does not currently believe the incident will have a material impact on its business, operations, or financial results," the filing stated.

Adam Darrah, director of intelligence services at cyber security company ZeroFox, told USA TODAY the incident shouldn't directly affect users but could impact them if that data is eventually stolen.

"This information by itself is not valuable. It has to be paired with other stuff," Darrah said. "Bad guys can then be more efficient in their illegal shenanigans, meaning breaking into an account and taking stuff out of an account.

"They'll use their magic machines that they have to try to find specific accounts that they can break into. That's most likely endgame here," he added.

Darrah advised all Cash App users update their passwords and enable two factor authentication to protect themselves from any future concerns.

USA TODAY has reached out to Cash App for comment.

(c)2022 USA Today
Distributed by Tribune Content Agency, LLC.