Cash App is one of the most widely used peer-to-peer payment apps in the United States. Tens of millions of people use it to send money, hold balances, invest in stocks, and buy Bitcoin. With so many users, the two data breaches the app experienced between 2021 and 2023 affected millions of current and former users. They also resulted in unauthorized account access and fraudulent transactions for some, and ultimately led to a $15 million class action settlement.
Both breaches involved insiders or unauthorized users exploiting access to customer data, rather than an external hacker breaking through technical defenses. That distinction matters both for understanding what was exposed and for thinking about what users can do to protect themselves from identity theft and other fraud going forward.
>> Check Out: Best Identity Theft Protection Services of 2026
The Two Breaches
December 2021: A Former Employee Downloads Customer Reports
The first breach was a straightforward insider threat. On December 10, 2021, a former Cash App employee downloaded reports containing sensitive customer data without authorization. The individual had legitimately accessed these reports as part of their job while employed. After their employment ended, they retained access and used it to download the files.1
Block, Cash App’s parent company, did not discover the incident until December 2021. But it waited until April 4, 2022, more than four months later, to publicly disclose the breach through an SEC filing. That delay drew significant criticism and became a central point of contention in the subsequent class action litigation.
Block said it was contacting approximately 8.2 million current and former Cash App customers about the incident. The downloaded reports contained users’ full names and brokerage account numbers. For some customers, the data also included brokerage portfolio value, portfolio holdings, and stock trading activity for one trading day. The breach was specific to Cash App Investing users in the United States.
Block confirmed that no usernames, passwords, Social Security numbers, date of birth, payment card information, bank account information, or addresses were included in the downloaded reports. Cash App accounts outside the United States and products other than Cash App Investing were not affected.
Expert Insight: Despite the two data breaches, Cash App is a safe app overall. They use strong data protection policies to limit the amount of data leaked in the event of a breach and they follow relevant regulations. A bigger risk of using Cash App than another breach is falling victim to a Cash App scam. Check out our guide to avoiding scams to limit those risks too.
2023: Unauthorized Account Access via Recycled Phone Numbers
The second incident stemmed from a quirk in how Cash App handles account authentication. Cash App does not use traditional passwords. Instead, users confirm their identity through a verification code sent to their email or phone number. This means that if someone gains access to a phone number previously linked to a Cash App account, they can potentially gain access to that account.
In 2023, Cash App notified some customers that an unauthorized user had logged into their accounts using a phone number that was linked to them and had subsequently been recycled by their mobile carrier. When phone carriers reassign old numbers to new subscribers, those new subscribers can sometimes receive verification codes intended for the previous holder, enabling account access they are not entitled to.2
This incident resulted in unauthorized access to user accounts and, in some cases, fraudulent transactions. The exact number of customers affected was not publicly disclosed. Unlike the 2021 breach, this incident exposed personal information visible within the app, including full names, account balances, and recent transaction history. Linked cards and bank account details for some users were also potentially leaked.
Incogni helps remove your personal information from data brokers that aggregate your leaked data.
Breaches at a Glance
Both of Cash App’s data breaches are oftentimes misconstrued as a singular incident even though they are two distinct breaches. They have a few similarities, although they both impacted different people and exposed different types of data. Here’s a quick comparison between both breaches:
| 2021 Insider Breach | 2023 Account Access Breach | |
|---|---|---|
| Cause | Former employee downloaded reports after leaving the company | Unauthorized users accessed accounts via recycled phone numbers |
| Customers affected | ~8.2 million notified | Undisclosed |
| Data exposed | Names, brokerage account numbers, portfolio values, holdings, one day of trading activity | Names, balances, transaction history, potentially linked card or bank account details |
| What was NOT exposed | Passwords, SSNs, payment card info, bank account numbers, addresses, DOBs | No credit card or SSN data confirmed exposed |
| Disclosed | April 4, 2022 (four months after discovery) | 2023 (timing of disclosure not fully publicized) |
Who Was Behind the Breaches
The 2021 breach was an insider threat caused by a failure in offboarding. When a Cash App employee left their employment, they retained access to documents that were only for internal use.
Insider threats present a particularly difficult detection problem. Because the person already has authorized access, their activity does not trigger the same alerts that an external intrusion would. That’s why insider incidents often take longer to detect than external attacks, causing greater cumulative damage before they are caught.
The 2023 breach was exploited by unauthorized external parties who leveraged a structural vulnerability in Cash App’s passwordless authentication system. They used recycled phone numbers to bypass the authentication. Cash App notified affected users and alerted law enforcement, but the identities of the individuals responsible were not publicly disclosed.
The $15 Million Class Action Settlement
Following both breaches, multiple class action lawsuits were filed against Block, Inc. and Cash App Investing, LLC. The suits were consolidated into a single proceeding: Salinas, et al. v. Block Inc., et al.3 The plaintiffs alleged that Cash App and Block were negligent, failed to implement adequate security controls, did not adequately respond to customer complaints about unauthorized transactions, and delayed notifying affected users.
Block and Cash App Investing denied any wrongdoing or liability but agreed to a $15 million settlement to resolve the litigation. Block also committed to improving its data security practices as part of the agreement.
The settlement covered current and former Cash App users whose account or personal information was accessed without consent, or who experienced unauthorized or fraudulent withdrawals or transfers, between August 23, 2018, and August 20, 2024. Eligible claimants could receive up to $2,500 for documented out-of-pocket losses and up to three hours of lost time at $25 per hour. There’s also additional compensation available for documented fraudulent transaction losses. The deadline to file a claim was November 18, 2024.
The claims window has now closed. If you filed a claim before the deadline and the settlement received final court approval, you should receive payment by check or electronic transfer. You cannot submit a claim after the deadline, though consulting a consumer protection attorney about other options may be worthwhile depending on the losses you experienced.
FYI: While $15 million is a lot of money, it’s a relatively small settlement for a data breach. For instance, the AT&T data breach involved a $177 million settlement, although that breach affected over 100 million people.
What Cash App Users Should Do Now
Check Whether You Were Notified
Block said it contacted approximately 8.2 million current and former customers about the 2021 breach. Cash App sent notifications about the 2023 account access incident as well. If you received any communication from Cash App or Block referencing a security incident, your account was potentially involved. You can confirm whether or not your information was in a breach by contacting Cash App support through the app.
Review Your Account for Unauthorized Transactions
Go through your Cash App transaction history and look for any transfers, payments, or withdrawals you do not recognize. The 2023 breach in particular resulted in fraudulent transactions on some accounts. If you identify anything suspicious, report it immediately through Cash App support, your linked bank or card provider, and report the scam to the FTC at ReportFraud.ftc.gov.
Update the Phone Number and Email on Your Account
Because Cash App uses phone number and email verification instead of passwords, securing your contact information is the most important thing you can do to lock down access. Make sure the phone number and email linked to your account are current and under your active control. Any old numbers associated with your account may have been recycled by your carrier, so update it to your current number immediately.
Enable Additional Security Features
Cash App offers a Security Lock feature that requires your device passcode, Face ID, or Touch ID each time the app is opened. Enabling this adds a layer of protection against someone who gains physical access to your phone or device. You can also enable notifications for every transaction so you are alerted immediately to any activity on your account.
Check Have I Been Pwned
Entering your email address at Have I Been Pwned can surface whether your credentials have appeared in any known breach datasets. While Cash App does not use traditional passwords, your email address credentials may have been exposed in other connected breaches. Then, someone could use your leaked email credentials to access your account, using your email as authentication.
Pro Tip: When creating passwords for your accounts, always use strong passwords with at least 12 characters using letters, numbers and symbols. You can run it through our password strength checker to ensure its strong enough to keep your account safe. Or, just use our password generator to create a new, safe one off the bat.
Be Alert to Cash App-Themed Phishing
The theft of names and brokerage account numbers in 2021 gives criminals enough information to craft convincing impersonation attempts. Be skeptical of any unsolicited texts, emails, or calls claiming to be from Cash App, and never share your verification codes with anyone. It’s the number one tip for protecting yourself against phishing. Plus, Cash App will never reach out asking for personal info or a login code.
>> Learn About: Phishing Text Messages: A Guide to “Smishing”
When Your Financial App Knows More About You Than You Realize
Cash App accounts hold a detailed record of your financial life: who you pay, how frequently, how much you keep in your balance, and what you invest in. Most users focus on protecting against account takeovers, which is the right instinct. But the 2021 breach illustrates another risk: the data that apps accumulate can be accessed by insiders, and once it is exported, there is little the company can do to retrieve it.
Part of managing that broader risk is reducing how much of your personal information is available from other sources. Data brokers compile and sell information from public records, social media, and past breaches, making it easy for anyone to build a profile on you before they ever contact you for a scam. We tested Incogni, one of the top data removal services, and found it effectively reduced our online footprint. It removed our data from over 700 sites in just three months. That made us a harder target for the social engineering and phishing attacks that often follow data breaches.
>> Read More: A 2026 Guide to Data Removal Services
The Bottom Line
Cash App’s two breaches between 2021 and 2023 exposed the data of millions of users through two very different mechanisms. The 2021 breach occurred from a disgruntled former employee who kept post-termination access to customer reports. As for the 2023 breach, a structural authentication vulnerability allowed recycled phone numbers to unlock accounts. Neither breach exposed passwords or Social Security numbers, but both created real risks of fraudulent transactions and account takeover.
The $15 million settlement deadline has passed, so that specific avenue for compensation is closed. However, you can reduce the risk of losses by reviewing your account for unauthorized activity, securing your login contact information, enabling Cash App’s security features, and staying alert to phishing attempts. You may also want to consider investing in Incogni to reduce the exposure of your personal data.
Frequently Asked Questions
-
How many people were affected by the Cash App data breach?
Block notified approximately 8.2 million current and former Cash App customers about the 2021 insider breach. The 2023 account access incident affected an undisclosed number of users. That said, Cash App notified those whose accounts showed evidence of unauthorized access.
-
Was my Social Security number or bank account number exposed?
Block confirmed that the 2021 insider breach did not expose Social Security numbers, passwords, bank account numbers, payment card information, or addresses. The reports that were downloaded contained names, brokerage account numbers, and for some users, portfolio values, holdings, and one day of trading activity. The 2023 incident exposed information visible within the app, such as balances and transaction history, and potentially linked card or bank account details for some affected accounts.
-
Can I still file a claim for the Cash App settlement?
No. The deadline to file a claim in the $15 million class action settlement was November 18, 2024. The final approval hearing was held on January 13, 2025. If you filed a valid claim before the deadline, you should receive payment once the settlement is fully processed. If you missed the deadline, you are no longer eligible to recover from this fund.
-
How did the Cash App breach happen?
The 2021 breach happened because a former employee retained access to internal reporting systems after their employment ended and downloaded customer data. It was a failure of offboarding procedures rather than a technical hack. The 2023 breach exploited Cash App’s passwordless authentication system. Because the app sends login codes to phone numbers rather than requiring passwords, unauthorized individuals who gained access to recycled phone numbers formerly linked to Cash App accounts were able to log in.
-
What should I do if my Cash App account was hacked?
If you notice unauthorized transactions or account access, act quickly. Report the activity to Cash App through the app’s support function. Contact your linked bank or credit card provider to dispute any fraudulent transactions. File a report with the FTC at ReportFraud.ftc.gov. Change the email address and phone number linked to your Cash App account if those may have been compromised, and enable Cash App’s Security Lock feature. If the fraudulent activity resulted in financial losses you could not recover, document everything in case of future legal options.