What You Need To Know About Cash App's Massive Security Breach

Cash App users might want to check their emails because the app's publisher, Block, has revealed a massive data breach. The confirmation first came in a filing with the United States Securities and Exchange Commission (SEC) earlier this week, as reported by TechCrunch. The short filing details Block's discovery of the breach and the action it took, along with details on the type of information that was compromised.

Block's statement to the SEC notes that it was actually a former employee who gained unauthorized access to Cash App's servers and made off with some customer data. "On April 4, 2022, Block ... announced that it recently determined that a former employee downloaded certain reports of its subsidiary Cash App ... on December 10, 2021, that contained some U.S. customer information," the statement reads. "While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended."

While Block's filing with the SEC doesn't provide any info about the employee – most notable being when the employee was terminated and how they managed to get in – it does detail the data this employee made off with. It also gives us an idea of the number of customers impacted, as Block says that it's reaching out to "approximately 8.2 million current and former customers" to inform them of the breach.

Cash App security breach: What was stolen?

While user data was stolen in this breach, the good news is that it sounds like the impact on customers was limited. In that SEC filing, Block says the information in the stolen reports includes customers' full names and brokerage account numbers, while some users also had their "brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day" stolen in the breach.

Block is also clear that the stolen reports didn't include passwords, usernames, social security numbers, card information, addresses, bank account details, or security codes. That will certainly be a relief to hear because even though we're sure customers don't like having their full names and brokerage account details out there, this breach could have been far worse had the former employee made off with passwords or credit card numbers.

In a statement to CNET, Block outlined what it currently knows and the road ahead. "Upon discovery, we took steps to remediate this issue and launched an investigation with the help of a leading forensics firm," a Block spokesperson said. "We know how these reports were accessed, and we have notified law enforcement. We are also contacting customers whose data was impacted. In addition, we continue to review and strengthen administrative and technical safeguards to protect information." 

The SEC filing says Block's investigation is still ongoing, so we'll keep you posted about any new details that may emerge.