Block disclosed today that a security breach involving a former employee impacts 8.2 million Cash App users. In an SEC filing, the company reported that an ex-employee on December 10th downloaded a number of reports with information on customer information. The exfiltrated data included full names, brokerage account numbers, brokerage portfolio value, brokerage portfolio holdings and reports of stock trading activity.
According to the filing, only customers that used Cash App’s stock function are potentially included in the breach. While Cash App got its start as a peer-to-peer payment app, its customers can also use it to buy stocks and Bitcoin. No other Cash App features outside of stocks were involved in the breach, nor did it include any customers outside of the US, according to the company.
“The reports did not include usernames or passwords, Social Security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information. They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features (other than stock activity) and customers outside of the United States were not impacted,” wrote Block in the filing.
Block has launched a formal investigation into the incident and has contacted law enforcement. It also plans on notifying all 8.2 million customers involved in the breach by email.
According to the filing, the ex-employee once had access to the customer information as an employee at CashApp. But by the time the breach occurred, they had already been gone from the company for several months. It’s unclear how a former employee was still able to retrieve such highly sensitive information. Engadget has reached out to Block for a response, and will update if we hear back.