Published June 13, 2025 
read
Cash App breach explained: what happened and how to secure your finances
Cash App is one of the most widely used peer-to-peer payment platforms in the U.S., with over 50 million users who rely on it to send money, invest in stocks or Bitcoin, and even file taxes. The app’s growth surged during the pandemic as more people turned to mobile-first financial tools. But with this increased popularity came greater responsibility for protecting users’ personal data. Cash App’s recent history of two data breaches in 2021 and 2023 uncovered serious flaws in its security practices.The breaches led to a class action lawsuit that resulted in a $15 million settlement, and underscored that the platform still has work to do in strengthening its security.
This article breaks down what happened in both Cash App breach incidents, what kind of data was compromised, and, most importantly, what steps you can take to protect your identity and finances.
What happened in the Cash App breach?
The 2021 incident and the insider threat
In December 2021, a former Cash App employee downloaded confidential reports that contained sensitive information of over 8.2 million current and former customers.
Was Cash App hacked? Not quite. The perpetrator had regular permitted access to these reports during the tenure of their employment. The access wasn’t removed after employment termination, which could only mean a poor offboarding process and access control.
The 2023 unauthorized user access incident
In 2023, some Cash App users saw their accounts being accessed without authorization. This unusual data breach happened due to systemic account access vulnerabilities and number recycling.
Cash App lets users log in through a one-time security code received via text or email, instead of a password or multi-factor authentication (MFA). Number recycling is a practice in which, once a person changes their phone number, it gets reassigned to another user.
If the changed phone number wasn’t unlinked from the corresponding Cash App account, the next number owner could access the account by simply requesting a code. As many failed to remove the old numbers, the oversight led to unauthorized transactions and withdrawals.
What data was exposed and who was affected in the Cash App breach incidents?
The 2021 Cash App data breach
The 2021 incident exposed the following user information:
- Full names
- Brokerage account numbers (unique identification numbers associated with a customer’s stock activity on Cash App Investing)
- Investment portfolio values
- Stock holdings
- Stock trading activity for one day of trading
This breach affected Cash App investing users based in the U.S. The company emphasized that financial data and personally identifiable information, such as dates of birth, Social Security numbers or street addresses, were not exposed.
The 2023 Cash App data breach
The 2023 incident compromised the following information:
- Personal information visible within the app, such as full names
- Financial info, such as balances, recent transaction history, and potentially linked card/bank account details.
The exact number of affected users was never disclosed.
Did Cash App do enough in response?
Block, Cash App’s parent company, filed the 8-K form with the Securities Exchange Commission and publicly disclosed the December 2021 breach on April 4, 2022. They began notifying the affected customers immediately after the official announcement. Critics have noted that the four-month delay amplified the customers’ risks of being targeted by cybercriminals.
The company worked with outside counsel and a leading forensics firm to investigate the breach. They also notified law enforcement and the relevant regulatory authorities.
Legal, financial, and reputational consequences after the Cash App breach
From fraud to frustration: what users went through
Many customers reported that funds were withdrawn from their Cash App accounts without consent, especially after the 2023 breach involving recycled phone numbers. Some saw their balances emptied or linked bank accounts accessed.
Those who tried contacting Cash App’s customer support described it as slow, unhelpful, or non-responsive. “I had them close my account because I filed disputes on five fraudulent charges on my account. While the disputes were in and they were investigating, they closed my card for my protection and new number yada yada… But still let five more go through on the old cancelled number”, a Cash App customer wrote on Reddit.
Some users complained of their CashApp accounts being shut down, while they still had money stored. Many expressed their distrust of the mobile baking service, and the mobile app received negative publicity from news outlets and tech media.
At the very least, customers had to deal with the consequences of Cash App breach incidents and spend time on filing fraud reports, freezing accounts, setting up fraud alerts, and more.
The class action lawsuit and $15 million settlement
On April 15, 2022, shortly after the 2021 Cash App data breach was disclosed, a national law firm, Migliaccio & Rathod LLP, launched a class action investigation.
As a result, the Salinas et al. v. Block Inc. class action was filed in California federal court in August 2022. Another class action complaint, Gordon v. Block, was filed by Amanda Gordon in November 2022. The two got merged into a consolidated class action lawsuit. After the 2023 Cash App security breach, the consolidated lawsuit was amended to cover both breaches.
The class action complaint claims that Cash App and Block were negligent, made misrepresentations, and breached their obligations to customers.
Cash App agreed to a $15 million settlement agreement to resolve the dispute. The company also promised to focus on improving data security as part of the settlement. Still, it maintained that it was not responsible for the incidents.
Settlement terms and eligibility criteria
Important note: the deadline to file a claim under this settlement has already passed, and no new claims are being accepted.
According to the lawsuit settlement website, the class action involves any current or former Cash App user who was affected by the incidents between August 2018 and August 2024.
Eligible customers were entitled to:
- Out-of-pocket expenses (up to $2500): costs associated with credit monitoring or ID theft insurance services, requesting a credit report and credit freeze, closing and replacing a compromised card or bank account, postage fees, long-distance phone charges, and other unexpected costs.
- Transaction losses (unauthorized transactions)
- Lost time in relation to the two breaches (up to 3 hours at $25/hour, max $75).
The impacted customers had to provide proof to support their claim: bank statements, receipts, credit reports, police reports, or similar documents.
Here is a complete breakdown of the settlement steps and deadlines:
| Milestone | Due on |
|---|---|
| Submit a claim | November 18, 2024 |
| Object to the settlement | November 18, 2024 |
| Exclude yourself from the settlement | November 18, 2024 |
| Final approval hearing | January 13, 2025 |
Food for thought: can Cash App be hacked?
Hackers follow the crowds, and the more people use these apps, the more time criminals will spend trying to exploit them.”
How secure is Cash App?
Although Cash App has taken steps to strengthen its protections, concerns from experts and public officials persist regarding its security issues and weak protocols.
In January 2024, Manhattan District Attorney Alvin Bragg publicly criticized Cash App, along with Venmo and Zelle, for leaving users vulnerable to fraud and financial theft. In letters addressed to these platforms, Bragg wrote about a surge in incidents where criminals exploited the apps to drain accounts, often by accessing unlocked phones, hijacking account settings, or using stolen credentials. He called for urgent improvements, including secondary transaction verification, better monitoring of suspicious activity, and stricter controls on large transfers.
Experts often highlight the following security concerns when it comes to peer-to-peer payment services like Cash App:
Limited fraud protection
Cash App operates outside the federal protections that apply to traditional banks. Once a payment is authorized, whether fraudulent or not, users often have no clear path to dispute or recover their funds.
Data leaks
Because of its popularity and fast payout options, Cash App accounts are frequently targeted by cybercriminals. According to Neal O’Farrell, a digital security expert and member of CNET’s Money review, while the app offers multiple security features, they may not always prevent data leaks, especially when insider threats are involved, as seen in the 2021 Cash App breach.
Inconsistent customer support
Users often complain that it’s difficult to reach live support when they experience fraud or account issues. Some claim that disputes are mishandled, while others report their accounts being shut down with funds still inside.
Risks of phishing, SIM swaps, and device compromise
While being exposed to various scams (read more here), Cash App users remain vulnerable to additional security threats:
- SIM swapping or hijacking: Bad actors collect your personal details from previous data breaches or data broker websites, contact your phone provider, and convince them to transfer your phone number to their SIM card. They start receiving all your phone calls and texts, while your phone loses service.
- Account takeovers: After a fraudster gets access to your phone number or email, they proceed to access your Cash App account and steal money.
- Phishing scams: Texts, emails, or calls that appear to be coming from Cash App or another trustworthy sender, but are meant to trick you into revealing your sensitive information.
- Device compromise: Phishing attempts may contain malware or spyware. This gives fraudsters direct access to your login codes, account activity, and more.
Steps to take if you’re a Cash App user
Check if your data was exposed
The first step is to determine whether your information has already been leaked or sold online.
- Look out for breach notifications: Cash App may have sent you an email or notification if your account has been affected by the security incidents or part of the class action settlement.
- Search your email or phone number on trusted breach checkers: You can use HaveIBeenPwned to see if your email address or phone number was exposed in a known data breach. If you use Gmail, check Google’s dark web report feature (available in Google One) to monitor whether your personal information has appeared on the dark web.
Strengthen your account security
If your information has been exposed, you can prevent further damage by enhancing your account security.
- Enable two-factor authentication (2FA): Although Cash App doesn’t offer traditional 2FA, you can download a separate app like Google Authenticator to secure your email account and any connected services (like your bank).
- Enable Cash App’s security lock for safer transaction: to help prevent unauthorized withdrawals or money requests, Cash App offers a security lock feature. When activated, it requires biometric verification like your fingerprint, Face ID, or a custom passcode before any funds can be sent or transferred. You can turn it on it by navigating to the Security & Privacy section in your app settings.
- Secure your email and mobile carrier account:
- Use a strong, unique password on the email account linked to your Cash App.
- Add a PIN or passcode to your phone account to prevent SIM swap attacks.
- Enable alerts in case of suspicious login attempts.
- Monitor all (linked) financial accounts:
- Regularly check your Cash App balance and transaction history. Enable push notifications under the app’s Notifications tab to receive real-time text or email alerts for every transaction to quickly detect any suspicious activity.
- Review your linked bank accounts or debit cards for unauthorized transactions.
- Set up alerts with your bank for transactions or logins.
Watch for phishing and impersonation scams
- Beware of fake messages claiming to be from Cash App: These may come via text, email, or even social media. They often claim your account is locked, ask you to “verify” your info, or offer fake rewards.
- Don’t share login codes: Cash App will never ask you to share a one-time code. Anyone requesting it is likely a scammer trying to access your account.
- Never send money to people you don’t know. Scammers may pose as friends or service providers. Always verify the recipient’s phone number or email before sending funds. If you send money to the wrong person or fall for a scam, your bank or Cash App may not refund the funds. Use security features like Incoming Requests to limit who can request money, and turn off your public $Cashtag to stay private.
- Only contact support through official channels: If you need help, use the Cash App website or app. Don’t use the phone numbers or emails you find through Google or Reddit. Scammers sometimes buy ads to appear as legitimate support.
How Onerep helps reduce privacy risks after a data breach
Why data breaches have lasting effects
Once your name, phone number, email, or other sensitive information is out there, it can be reused by bad actors again and again. Stolen data often resurfaces in future fraud attempts, phishing scams, identity theft, SIM swaps, and more complex social engineering attacks.
Data broker websites that collect and sell your personal details can make you more visible to fraudsters. Bad actors often combine this information with the sensitive data leaked in data breaches to complete the profile of a target.
How Onerep protects your privacy
Onerep scans over 210 public data broker sites that publish people’s data and requests removals on your behalf, saving you hours of work. Removing this information helps protect your privacy and reduce the associated security risks.
FAQs
Was Cash App hacked in 2022?
Cash App experienced an internal security breach in December 2021. It wasn’t a typical hack. The company came forward about the incident in April 2021.
What data was leaked in the Cash App breach?
The 2021 Cash App data breach exposed the customers’ names, brokerage account numbers, investment portfolio values and holdings, and stock activity for one day of trading.
The 2023 Cash App security breach exposed various user information visible within the app, such as full names, and financial information, including balances, recent transaction history, and potentially linked card/bank account details.
Is it safe to keep money in Cash App now?
Cash App pledged to enhance its security measures after the breaches, and many users have no issues with the service. However, it’s best to avoid storing large amounts on your Cash App account and transfer money regularly to your bank.
Can my Cash App account be hacked?
Cash App continues to operate securely for millions of users, but like all peer-to-peer payment apps, it comes with some risks. Its passwordless login system and reliance on SMS codes can be a weak point if your phone number or email is compromised, leading to account takeover.
What’s the safest way to use mobile payment apps?
Make sure to protect your account by regularly reviewing your activity, setting up alerts and MFA wherever possible, and never disclosing your credentials. Also, avoid using mobile banking services like Cash App to store money.
Mikalai is a Chief Technical Officer at Onerep. With a degree in Computer Science, he headed the developer team that automated the previously manual process of removing personal information from data brokers, making Onerep the industry’s first fully automated tool to bulk-remove unauthorized profiles from the internet.