Corporate Misconduct Accountability Project
Block, Inc. · Class Action Settlement
Cash App Data Breaches Left Millions Exposed, Users Lost Thousands
Block, Inc. allegedly allowed a former employee to steal data on 8.2 million users, then suffered a second breach via recycled phone numbers, while customers reported losing up to $40,000 from their accounts.
CRITICAL SEVERITY
TL;DR
Block, Inc., parent company of Cash App, allegedly suffered two massive data breaches affecting over 8.2 million users. A former employee stole sensitive customer data in December 2021, but the company waited nearly four months to disclose it. Then, between January and June 2023, unauthorized users accessed accounts through recycled phone numbers. During this time, customers reported losing thousands of dollars to hackers, with some losing as much as $40,000. Block settled for $15 million without admitting wrongdoing.
This is what happens when companies treat security as optional and accountability as negotiable.
8.2M
Users whose data was stolen by former employee
$15M
Settlement fund (before fees and costs)
$40,000
Maximum reported loss by individual users
4 months
Delay before disclosing first breach
6 months
Delay before disclosing second breach
The Allegations: A Breakdown
Core Allegations
What Block, Inc. did to put millions at risk · 8 points
| 01 | On December 10, 2021, a former employee of Cash App Investing downloaded internal reports containing the personal information of approximately 8.2 million current and former customers, including full names, brokerage account numbers, portfolio values, holdings, and stock trading activity. Block failed to prevent a departed employee from accessing sensitive customer data. | high |
| 02 | Block waited nearly four months to disclose the first breach, not informing the public until April 4, 2022. This delay gave criminals a significant head start to exploit the stolen data while users remained unaware of the danger. | high |
| 03 | Between January and June 2023, Block allowed unauthorized users to access Cash App accounts using recycled phone numbers. When carriers reassigned old phone numbers to new people, Block’s system let these new number owners log into the previous owner’s Cash App account, accessing account numbers, routing numbers, and Cash App Card details including CVV codes. | high |
| 04 | Block delayed notifying users about the recycled phone number breach for at least six months after the initial unauthorized access began. Users were not informed until June 2023 at the earliest. | high |
| 05 | Cash App users reported losing between hundreds and $40,000 from their accounts to hackers. The stolen funds included money needed for rent, food, tax refunds, stimulus checks, and military disability payments. | high |
| 06 | Even after users informed Cash App that their accounts were compromised, money continued to be stolen. Some users reported dozens of fraudulent transactions occurring over periods of up to a year. | high |
| 07 | Block failed to implement and maintain reasonable security procedures to protect customer data, violating the Federal Trade Commission Act’s prohibition on unfair or deceptive acts or practices. The company’s privacy notice claimed it took reasonable measures to protect user information, which the lawsuit argues was demonstrably false. | high |
| 08 | One veteran reported that Cash App completely wiped out their military account, stealing everything and causing them to lose their home and fall behind on all bills. Users experienced cascading financial harms beyond the initial theft. | high |
Regulatory Failures
How weak oversight enabled this catastrophe · 5 points
| 01 | Block operated within a regulatory gray zone where compliance with Federal Trade Commission guidelines was treated as a suggestion rather than a mandate. The company made public promises of security while its internal practices fell dangerously short. | medium |
| 02 | The current regulatory system relies on punishing companies after harm is done, doing nothing to protect the initial victims. Block faced no preemptive oversight that could have stopped the breaches before millions of users were exposed. | medium |
| 03 | The recycled phone number vulnerability was a known issue in the tech industry long before Block’s system was exploited. A robust regulatory environment would have mandated proactive audits and verifications of these basic security functions. | medium |
| 04 | Block was able to resolve all legal claims without any admission of wrongdoing, setting no legal precedent that declared its security practices negligent. No executive faced personal liability. | medium |
| 05 | The deregulated framework incentivizes companies to do the bare minimum required to appear compliant, leaving consumers to bear the risk of corporate failures. Block treated catastrophic security failures as a calculated cost of doing business. | medium |
Profit Over People
How Block prioritized shareholder value over user security · 5 points
| 01 | Block chose to accept the risk of catastrophic data breaches rather than invest sufficiently in preventing them. The lawsuit argues the company intentionally, willfully, recklessly, or negligently failed to implement adequate security measures. | high |
| 02 | Block had the resources to prevent these breaches as a multi-billion-dollar corporation, but allegedly prioritized profit over user protection. Investing in robust, expensive, non-revenue-generating security functions was treated as a drag on profits. | high |
| 03 | Block’s decision to not properly offboard former employees, not address the recycled phone number vulnerability, and not heed the flood of complaints about stolen funds all point to a corporate culture where user security was not a top priority. | high |
| 04 | The $15 million settlement is a negligible expense for a company of Block’s size. It becomes a predictable line item in the budget, a manageable cost of doing business rather than a deterrent against future negligence. | medium |
| 05 | Block’s financial calculus followed the neoliberal model: it was cheaper to pay the fine and settle the lawsuit than to build a truly secure system. This ensures that profit maximization remains the guiding principle, even when the consequence is widespread financial harm. | high |
Economic Fallout
The real financial devastation suffered by ordinary users · 6 points
| 01 | Users lost money intended for rent, leading to risk of eviction. They lost funds for food, threatening their family’s well-being. They lost tax refunds and stimulus checks meant to provide a financial cushion. | high |
| 02 | Plaintiffs’ attorneys received over 1,000 submissions from Cash App users detailing immense financial losses, with individuals reporting losing as much as $40,000. For many, the stolen funds were essential for survival. | high |
| 03 | Users spent countless hours trying to resolve the issues. One plaintiff spent over 100 hours dealing with the aftermath, time they could have spent working or with their families. | medium |
| 04 | Users were forced to deal with false information appearing on their credit reports, potentially damaging their ability to access credit for years to come. The economic harm extended far beyond the initial theft. | medium |
| 05 | The settlement offers reimbursement for Lost Time at only $25 per hour (up to three hours) and up to $2,500 for documented Out-of-Pocket Losses. For those who lost tens of thousands of dollars, these figures are a pittance. | high |
| 06 | If the total value of approved claims exceeds the Net Settlement Fund, payments will be reduced on a pro rata basis. Victims are not guaranteed to be made whole and will receive only a fraction of what they lost. | high |
Corporate Accountability Failures
Why the settlement fails to deliver justice · 6 points
| 01 | Block agreed to pay $15 million to a settlement fund but officially admitted no wrongdoing. This no-admission clause allows the company to end the legal threat without ever acknowledging its role in the harm caused. | high |
| 02 | After attorneys’ fees of up to 25% ($3.75 million), administrative costs, and service awards are deducted, the Net Settlement Fund available to victims will be significantly smaller than the headline $15 million figure. | medium |
| 03 | Users seeking reimbursement face a claims process that requires extensive documentation and is subject to the sole discretion of a settlement administrator. Many legitimate claims will be denied or reduced. | medium |
| 04 | The settlement reinforces a dangerous incentive structure: it is more economically rational for Block to operate with deficient security and pay a relatively small settlement later than to invest in robust, preventative protection. | high |
| 05 | The outcome treats widespread consumer harm not as a crime to be punished, but as a tort to be priced. For Block, accountability is just another cost to be managed, while for victims, the loss remains devastatingly real. | high |
| 06 | No executive at Block faces personal liability for the security failures that exposed 8.2 million users to data theft and financial fraud. The corporate veil protects individual decision-makers from consequences. | medium |
The PR Machine
How Block managed perception instead of preventing harm · 4 points
| 01 | Block’s privacy policy assured users of reasonable measures to protect their data, serving as a public-facing shield. It created an illusion of safety that encouraged users to entrust the platform with their financial lives, even as internal systems were riddled with vulnerabilities. | medium |
| 02 | By delaying disclosure of the first breach for nearly four months and the second for up to six months, Block controlled the flow of information. This prevented users from taking immediate protective steps but gave the company time to prepare its legal and PR response. | high |
| 03 | The settlement’s no-admission clause allows Block to buy silence and frame the outcome as an act of goodwill rather than an admission of failure. The payment becomes a pragmatic business decision, not a moral or legal reckoning. | high |
| 04 | Block can now publicly claim the matter is resolved and move forward without any official acknowledgment that its security practices were negligent or that it violated users’ trust. | medium |
The Bottom Line
This is the system working exactly as designed · 5 points
| 01 | The Cash App data breaches are not an anomaly. They are a predictable outcome of a system of neoliberal capitalism designed to prioritize and protect capital accumulation above all else. | high |
| 02 | When Block can ignore security warnings, allow two massive breaches through basic negligence, delay informing customers for months, and resolve the legal action with no admission of wrongdoing, the system is not broken. It is functioning to shield corporate actors from meaningful consequences. | high |
| 03 | The financial losses of individual users are treated as externalities, unfortunate but acceptable collateral damage in the pursuit of market dominance and shareholder returns. Millions paid the price for Block’s calculated risk-taking. | high |
| 04 | This case reveals how deregulation creates conditions for corporate misconduct, how the profit motive disincentivizes ethical behavior, and how the legal system provides corporations with off-ramps to avoid true accountability. | high |
| 05 | The harm suffered by millions of Cash App users is a direct indictment of this system. Without fundamental reform, corporations will continue to operate with impunity, leaving ordinary people to clean up the mess. | high |
Timeline of Events
December 10, 2021
First Data Breach: A former Cash App Investing employee downloads internal reports containing personal information of approximately 8.2 million users.
December 2021 – January 2022
Plaintiff Michelle Salinas experiences multiple unauthorized charges on her Cash App account totaling over $50.
February – May 2022
Plaintiff Raymel Washington faces numerous unauthorized attempts to withdraw money from his account.
April 4, 2022
Block, Inc. publicly discloses the First Data Breach, nearly four months after it occurred.
June 1, 2022
Raymel Washington has $394.85 stolen from his Cash App account through unauthorized transactions.
August 23, 2022
Initial class action lawsuit Salinas v. Block Inc. is filed in the U.S. District Court for the Northern District of California.
November 2, 2022
Plaintiff Amanda Gordon files Gordon v. Block Inc., which is later consolidated with the Salinas case.
January 1 – June 19, 2023
Second Data Breach: Unauthorized users gain access to Cash App accounts using recycled phone numbers that were linked to previous owners’ accounts.
June 2023
Block, Inc. begins notifying users of the Second Data Breach, up to six months after it started.
February 9, 2024
Consolidated Class Action Complaint is filed, combining multiple user lawsuits against Block, Inc. and Cash App Investing LLC.
March 3, 2024
Settlement Agreement is filed with the court, outlining the terms of the $15 million settlement fund with no admission of liability by Block.
Direct Quotes from the Legal Record
QUOTE 1
Scale of the First Breach
allegations
“On December 10, 2021, a former employee of Cash App Investing downloaded internal reports containing the sensitive personal information of approximately 8.2 million current and former customers.”
💡 This shows Block failed to prevent a departed employee from accessing massive amounts of sensitive customer data.
QUOTE 2
What Data Was Stolen
allegations
“The stolen information included customers’ full names, brokerage account numbers, and for some, the value and holdings of their investment portfolios and stock trading activity.”
💡 The breach exposed highly sensitive financial information that could be used for identity theft and targeted fraud.
QUOTE 3
Months-Long Cover-Up
allegations
“For nearly four months, Block, Inc. remained silent. The company did not publicly disclose the breach until April 4, 2022, giving those who stole the data a significant head start to exploit it.”
💡 Block prioritized managing its public image over immediately warning endangered customers who could have taken protective action.
QUOTE 4
Second Breach Through Recycled Numbers
allegations
“Between January and June of 2023, unauthorized users gained access to customer accounts by using recycled phone numbers. Block’s system allegedly allowed these new phone number owners to log into the previous owner’s Cash App account, granting them access to account numbers, routing numbers, and Cash App Card details, including the expiration date and CVV.”
💡 This was a known, preventable vulnerability that Block failed to address, enabling a second wave of unauthorized access.
QUOTE 5
Delayed Disclosure Again
allegations
“Once again, the company failed to provide timely notice. Users were not informed about this breach until at least six months after the initial unauthorized access began.”
💡 Block established a pattern of hiding security failures from users, preventing them from protecting themselves.
QUOTE 6
Devastating User Losses
economic
“Individuals reported losing as much as $40,000. For many, the stolen funds were essential for survival. Users reported that money needed for rent, food, and other basic obligations vanished from their accounts. Tax refunds, stimulus checks, and even military disability payments were allegedly siphoned off by criminals.”
💡 These were not abstract data points but real people who lost their ability to meet basic needs because of Block’s failures.
QUOTE 7
Ongoing Theft Despite Warnings
allegations
“In many cases, the theft was not a one-time event. Some users reported dozens of fraudulent transactions occurring over a period of up to a year. Even after informing Cash App that their account was compromised, some users saw money continue to be taken.”
💡 Block failed to stop ongoing theft even after being directly notified by victims that their accounts were compromised.
QUOTE 8
Veteran Loses Everything
economic
“One veteran reported that Cash App had ‘completely wiped out my military account stealing everything from me,’ causing them to lose their home and fall behind on all their bills.”
💡 This illustrates the life-altering, cascading consequences of Block’s security failures on vulnerable users.
QUOTE 9
Negligent Security Practices
regulatory
“The complaint explicitly accuses Block of failing to implement and maintain reasonable security procedures, a violation of the spirit, if not the letter, of the FTC Act, which prohibits ‘unfair or deceptive acts or practices.'”
💡 Block violated basic security standards and made false promises about protecting user information.
QUOTE 10
False Security Promises
pr_machine
“The company’s own privacy notice claimed it took ‘reasonable measures… to protect your information,’ a statement that the lawsuit argues was demonstrably false.”
💡 Block actively misled users about the level of security protecting their financial data and accounts.
QUOTE 11
Profit Over Protection
profit
“The lawsuit argues the company disregarded the rights of its users by ‘intentionally, willfully, recklessly, and/or negligently’ failing to implement adequate security measures.”
💡 Block made a deliberate choice to underfund security, treating user protection as optional.
QUOTE 12
Settlement Without Admission
accountability
“Block, Inc. agreed to pay $15 million to a settlement fund but officially admitted no wrongdoing. This is a standard and insidious feature of corporate settlements under late-stage capitalism.”
💡 Block escapes legal accountability and can publicly deny any fault despite overwhelming evidence of harm.
QUOTE 13
Inadequate Compensation
economic
“The settlement offers reimbursement for ‘Lost Time’ at a rate of $25 per hour (up to three hours) and up to $2,500 for documented ‘Out-of-Pocket Losses.’ However, for those who lost tens of thousands of dollars, these figures are a pittance.”
💡 Users who lost $40,000 will receive a fraction of what they lost, while Block pays a negligible fine relative to its size.
QUOTE 14
Pro Rata Reduction Clause
accountability
“In the event that the Net Settlement Fund is not sufficient to make payment for all Approved Claims at the full amounts otherwise approved, then the value of the payments for Approved Claims shall be reduced on a pro rata basis.”
💡 Even the inadequate settlement amounts may be further reduced, ensuring victims are not made whole.
QUOTE 15
System Working as Intended
conclusion
“When Cash App can ignore years of security warnings, allow two massive data breaches to occur through basic negligence, delay informing its customers for months, and then resolve the resulting legal action with a settlement that includes no admission of wrongdoing, the system is not broken. It is functioning to shield corporate actors from meaningful consequences.”
💡 This case exposes how the legal and economic system is designed to protect corporations, not the people they harm.
Frequently Asked Questions
What exactly happened in the Cash App data breaches?
Block, Inc. suffered two major security failures. In December 2021, a former Cash App Investing employee stole data on 8.2 million users, including names, account numbers, and investment details. Then between January and June 2023, unauthorized users accessed accounts through recycled phone numbers. Block delayed disclosing both breaches for months, leaving users unaware and vulnerable while hackers drained their accounts.
How much money did Cash App users lose?
Users reported losses ranging from hundreds to as much as $40,000. Over 1,000 users submitted reports of financial losses to the plaintiffs’ attorneys. Many lost funds needed for rent, food, tax refunds, stimulus checks, and even military disability payments. Some experienced dozens of fraudulent transactions over periods of up to a year.
Why didn’t Block tell users about the breaches right away?
Block waited nearly four months to disclose the first breach (December 2021 to April 2022) and up to six months for the second breach. The lawsuit suggests Block prioritized controlling the narrative and managing its public image over immediately warning users so they could protect themselves. This delay gave criminals more time to exploit the stolen data.
What is Block paying in the settlement?
Block agreed to pay $15 million into a settlement fund. However, after attorneys’ fees of up to 25% ($3.75 million), administrative costs, and service awards to named plaintiffs are deducted, the amount available to compensate victims will be significantly less, likely around $10.5 million or less shared among potentially millions of class members.
Did Block admit it did anything wrong?
No. The settlement includes a standard no-admission-of-liability clause, meaning Block officially denies any wrongdoing. The company can pay the settlement and move on without ever legally acknowledging that its security was inadequate or that it violated users’ rights.
How much can individual victims actually recover?
The settlement caps reimbursement at $2,500 for documented out-of-pocket losses and $75 for lost time (up to 3 hours at $25/hour). For users who lost tens of thousands of dollars, this is a tiny fraction of their losses. If approved claims exceed the fund, payments will be reduced further on a pro rata basis, meaning victims may receive only pennies on the dollar.
Why is this settlement so inadequate compared to the harm?
The settlement reflects how the legal system treats corporate harm. For Block, a multi-billion-dollar company, $15 million is a negligible cost of doing business. The settlement allows the company to avoid any legal precedent that its practices were negligent, pay a small fraction of the harm caused, and face no executive accountability. It is more profitable to pay a settlement than to invest in robust security.
What were the security failures that led to these breaches?
Block failed to properly deactivate access for a former employee, allowing them to download data on 8.2 million users months after leaving. Block also failed to address the known vulnerability of recycled phone numbers being used to access old accounts. The lawsuit alleges Block intentionally, willfully, recklessly, or negligently failed to implement basic, reasonable security measures despite having the resources to do so.
Can I still join the class action or file a claim?
If you were a Cash App or Cash App Investing user whose data was compromised or who experienced unauthorized transactions between August 2018 and the notice date in 2024, you may be part of the settlement class. Check the settlement website for deadlines to file a claim, opt out, or object. Deadlines are typically strict, so act quickly.
What can I do to protect myself from companies like Block?
Monitor your accounts closely for unauthorized transactions and report them immediately. Use unique, strong passwords and enable two-factor authentication where available. Consider using credit monitoring services. Most importantly, demand stronger data protection laws from your elected representatives. Corporate accountability will only improve if the legal and regulatory system is reformed to prioritize people over profit.
Click on this link to join the class action settlement and grab yourself a tiny portion of their enormous revenue.
Here is another article on a different CashApp controversy, but this one was them using its users as slave labor to do marketing for the giant company: https://evilcorporations.com/corporate-misconduct-cash-app-spam-lawsuit-analysis/
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
