TL;DR: Block, Inc., the parent company of Cash App, allegedly allowed the private financial data of over 8.2 million users to be stolen by a former employee and suffered a second major breach months later, all while customers reported losing thousands of dollars from their accounts to hackers. Despite claims of taking security seriously, the company delayed notifying users for months, leaving them vulnerable. This article breaks down how a system prioritizing profit over protection led to devastating financial losses for everyday people, and how the subsequent $15 million settlement represents a fraction of the harm done.
Introduction: A System Designed for Profit, Not Protection
In our modern economy, corporations ask for our trust and our data, promising convenience and security in return. But for millions of users of Cash App, a popular mobile payment service, that trust was shattered. Legal documents reveal a story not just of technical failure, but of a systemic breakdown where a company’s duty to protect its customers was allegedly subordinated to its operational priorities. At the heart of this case are two massive data breaches and a flood of user complaints detailing how their accounts were drained of life-altering sums of money—funds for rent, food, and even military disability pay.
This is more than a story about a data breach. It is an examination of a corporate structure that allegedly ignored repeated warnings, failed to implement basic security protocols, and left its users to fend for themselves against financial predators. It exposes the consequences of a deregulated digital marketplace where corporations can operate with minimal accountability, treating catastrophic security failures as a calculated cost of doing business. The fallout from Cash App’s alleged negligence offers a brutal look at how the relentless drive for profit in a neoliberal capitalist system can leave the most vulnerable members of society paying the highest price.
Inside the Allegations: A Cascade of Corporate Failure
The case against Block, Inc. and its subsidiary, Cash App Investing, LLC, is built on a foundation of severe and repeated security failures that directly harmed millions of its customers. The allegations paint a picture of a company that was not just a victim of external attacks, but an enabler of them through its own negligence.
The First Data Breach: An Inside Job
The first major security failure occurred on December 10, 2021. On that day, a former employee of Cash App Investing downloaded internal reports containing the sensitive personal information of approximately 8.2 million current and former customers. This was a failure of basic internal controls. The employee, whose access should have been terminated upon their departure, was allegedly still able to access and exfiltrate troves of user data.
The stolen information included customers’ full names, brokerage account numbers, and for some, the value and holdings of their investment portfolios and stock trading activity. For nearly four months, Block, Inc. remained silent. The company did not publicly disclose the breach until April 4, 2022, giving those who stole the data a significant head start to exploit it.
The Second Data Breach: A Predictable Vulnerability
Just as the fallout from the first breach was unfolding, a second, entirely different security vulnerability was being exploited. Between January and June of 2023, unauthorized users gained access to customer accounts by using recycled phone numbers. When a user changes their phone number, carriers often reassign the old number to a new person. Block’s system allegedly allowed these new phone number owners to log into the previous owner’s Cash App account, granting them access to account numbers, routing numbers, and Cash App Card details, including the expiration date and CVV.
Once again, the company failed to provide timely notice. Users were not informed about this breach until at least six months after the initial unauthorized access began. This pattern of delayed disclosure became a central theme in the allegations, suggesting a corporate policy that prioritized managing public perception over immediately warning its endangered customers.
A Timeline of Negligence and Harm
| Date | Event |
| Dec. 10, 2021 | The First Data Breach occurs. A former employee downloads reports containing the personal information of 8.2 million Cash App Investing users. |
| Dec. 2021 – Jan. 2022 | A plaintiff in the case, Michelle Salinas, experiences multiple unauthorized charges on her Cash App account totaling over $50. |
| Feb. – May 2022 | Another plaintiff, Raymel Washington, faces numerous unauthorized attempts to withdraw money from his account. |
| April 4, 2022 | Block, Inc. publicly discloses the First Data Breach, nearly four months after it happened. |
| June 1, 2022 | Raymel Washington has $394.85 stolen from his Cash App account through unauthorized transactions. |
| Aug. 23, 2022 | The initial class action lawsuit, Salinas, et al. v. Block Inc., et al., is filed. |
| Jan. 1 – June 19, 2023 | The Second Data Breach unfolds as unauthorized users gain access to accounts via recycled phone numbers. |
| June 2023 | Block, Inc. begins notifying users of the Second Data Breach, up to six months after it started. |
| Feb. 9, 2024 | The Consolidated Class Action Complaint is filed, combining multiple user lawsuits. |
| March 3, 2024 | The Settlement Agreement is filed with the court, outlining the terms of the $15 million settlement. |
The Human Cost: A Torrent of Stolen Funds
Beyond the data breaches, the lawsuit compiled a devastating collection of user experiences. Plaintiffs’ attorneys received over 1,000 submissions from Cash App users detailing immense financial losses. Individuals reported losing as much as $40,000. For many, the stolen funds were essential for survival. Users reported that money needed for rent, food, and other basic obligations vanished from their accounts. Tax refunds, stimulus checks, and even military disability payments were allegedly siphoned off by criminals.
The methods of theft were varied. Hackers used the stolen funds to buy Bitcoin, stocks, gift cards, and items on platforms like Uber and Google. In many cases, the theft was not a one-time event. Some users reported dozens of fraudulent transactions occurring over a period of up to a year. Even after informing Cash App that their account was compromised, some users saw money continue to be taken. In what seems like a cruel irony, Cash App’s automated systems sometimes allowed so much money to be stolen that users were left with large negative balances.
Regulatory Capture & Loopholes: The Illusion of Oversight
In a system governed by neoliberal principles, regulation often becomes a performance of safety rather than a guarantee of it. The Federal Trade Commission (FTC) sets guidelines for businesses on protecting consumer data, establishing a baseline for what constitutes reasonable security. The lawsuit against Block alleges that the company failed to meet these standards, operating within a regulatory gray zone where compliance is treated as a suggestion, not a mandate.
The complaint explicitly accuses Block of failing to implement and maintain reasonable security procedures, a violation of the spirit, if not the letter, of the FTC Act, which prohibits “unfair or deceptive acts or practices.” The company’s own privacy notice claimed it took “reasonable measures… to protect your information,” a statement that the lawsuit argues was demonstrably false. This is a classic example of regulatory weakness; a company like CashApp can make public promises of security while its internal practices fall dangerously short, with little preemptive oversight to stop them. The system relies on punishing companies after the harm is done, a model that does nothing to protect the initial victims.
The fact that a former employee could still access sensitive data months after their departure points to a stunning lack of basic administrative safeguards. Similarly, the recycled phone number issue was a known vulnerability in the tech industry long before it was exploited at Cash App. A truly robust regulatory environment would mandate proactive audits and verifications of these basic security functions. Instead, under the current deregulated framework, companies are incentivized to do the bare minimum required to appear compliant, leaving consumers to bear the risk of their failures.
Profit-Maximization at All Costs: A Business Model Built on Risk
At its core, the Cash App saga is a story about corporate priorities. In a capitalist system that relentlessly rewards shareholder value above all else, investing in robust, expensive, and non-revenue-generating functions like data security can be seen as a drag on profits. The allegations against Block suggest a company that chose to accept the risk of a catastrophic data breach rather than invest sufficiently in preventing one.
The resources to prevent these breaches were undoubtedly available to a multi-billion-dollar corporation like Block, Inc. Yet, the lawsuit argues the company disregarded the rights of its users by “intentionally, willfully, recklessly, and/or negligently” failing to implement adequate security measures. The decision to not properly offboard former employees, to not address the recycled phone number vulnerability, and to not heed the “flood of complaints” from users about stolen funds all point to a corporate culture where user security was not a top priority.
The financial calculus of neoliberalism is brutally simple: is it cheaper to pay the fine and settle the lawsuit than it is to build a truly secure system? For many corporations, the answer is yes. The $15 million settlement, while seemingly large, is a negligible expense for a company of Block’s size. It becomes a predictable line item in the budget, a manageable cost of doing business rather than a deterrent against future negligence. This model ensures that profit-maximization remains the guiding principle, even when the predictable consequence is widespread financial harm to customers.
The Economic Fallout: Real People, Real Losses
The consequences of Block’s alleged failures were not abstract. They were felt in the emptied bank accounts and panicked phone calls of ordinary people. The economic fallout described in the lawsuit is a stark reminder of the precarity faced by many Americans and how corporate negligence can push them over the edge.
Users lost money intended for rent, leading to the risk of eviction. They lost funds for food, threatening their family’s well-being. They lost tax refunds and stimulus checks that were meant to provide a financial cushion. One veteran reported that Cash App had “completely wiped out my military account stealing everything from me,” causing them to lose their home and fall behind on all their bills.
Beyond the direct theft, users suffered a cascade of secondary financial harms. They spent countless hours—in one plaintiff’s case, over 100 hours—trying to resolve the issues, time they could have spent working or with their families. They were forced to deal with false information appearing on their credit reports, potentially damaging their ability to access credit for years to come. The settlement agreement acknowledged these harms by offering reimbursement for “Lost Time” at a rate of $25 per hour (up to three hours) and up to $2,500 for documented “Out-of-Pocket Losses.” However, for those who lost tens of thousands of dollars, these figures are a pittance. This is the brutal reality of economic fallout in a system that protects corporate entities: the losses are privatized onto individuals, while the “remedy” is socialized and minimized through class-action settlements.
The PR Machine: Crafting a Narrative of Innocence
In the face of overwhelming evidence of harm, corporate strategy often shifts from prevention to perception management. The legal documents in the Cash App case highlight several tactics used to spin the narrative and minimize corporate liability.
First is the misleading promise of security. Block’s privacy policy, which assured users of “reasonable measures” to protect their data, served as a public-facing shield. It created an illusion of safety that encouraged users to entrust the platform with their financial lives, even as internal systems were allegedly riddled with vulnerabilities.
Second is the strategic delay in communication. By waiting nearly four months to disclose the first data breach and up to six months for the second, the company controlled the flow of information. This delay prevented users from taking immediate steps to protect themselves, such as freezing their credit or monitoring their accounts, but it gave the company time to prepare its legal and public relations response.
Finally, and most critically, is the settlement’s “No Admission of Liability” clause. Block, Inc. agreed to pay $15 million to a settlement fund but officially admitted no wrongdoing. This is a standard and insidious feature of corporate settlements under late-stage capitalism. It allows the company to end the legal threat and publicly claim the matter is resolved without ever having to acknowledge its role in the harm caused. The payment becomes a pragmatic business decision, not a moral or legal reckoning. It effectively buys silence and allows the corporate PR machine to frame the outcome as an act of goodwill rather than an admission of failure.
Corporate Accountability Fails the Public
The $15 million settlement in the case of Salinas v. Block Inc. is a textbook example of how the corporate accountability system in America fails to deliver true justice. While the agreement provides some measure of relief to some victims, it falls far short of holding the corporation meaningfully accountable and serves more to protect the company than to repair the damage it allegedly caused.
Consider the scale: a $15 million fund for a class potentially numbering in the millions. After attorneys’ fees (up to 25%, or $3.75 million), administrative costs, and service awards for the named plaintiffs are deducted, the “Net Settlement Fund” available to users will be significantly smaller. Any user seeking reimbursement for stolen funds or out-of-pocket losses faces a claims process that requires documentation and is subject to the “sole discretion” of a settlement administrator. If the total value of approved claims exceeds the net fund, payments will be reduced on a pro rata basis. This means victims are not guaranteed to be made whole because they will receive only a fraction of what is available.
More importantly, the settlement allows Block to avoid any admission of guilt. There is no legal precedent set that declares its security practices were negligent. No executive faces personal liability. The outcome reinforces a dangerous incentive structure: it is more economically rational for a corporation to operate with deficient security and pay a relatively small settlement later than to invest in robust, preventative protection. The system treats widespread consumer harm not as a crime to be punished, but as a tort to be priced. This ensures that for corporations, accountability is just another cost to be managed, while for victims, the loss remains devastatingly real.
Conclusion: This Is the System Working as Intended
The story of the Cash App data breaches is not an anomaly. It is not a case of one “bad apple” corporation failing in an otherwise functional system. It is a predictable outcome of a system of neoliberal capitalism that is working exactly as it was designed: to prioritize and protect capital accumulation above all else.
When Cash App can ignore years of security warnings, allow two massive data breaches to occur through basic negligence, delay informing its customers for months, and then resolve the resulting legal action with a settlement that includes no admission of wrongdoing, the system is not broken. It is functioning to shield corporate actors from meaningful consequences. The financial losses of individual users are treated as externalities—unfortunate but acceptable collateral damage in the pursuit of market dominance and shareholder returns.
This case reveals the deep-seated flaws in our economic and legal structures. It demonstrates how deregulation creates the conditions for corporate misconduct, how the profit motive disincentivizes ethical behavior, and how the legal system provides corporations with off-ramps to avoid true accountability. The harm suffered by millions of Cash App users is a direct indictment of this system, a clear signal that without fundamental reform, corporations will continue to operate with impunity, leaving ordinary people to clean up the mess.
Frivolous or Serious Lawsuit?
This lawsuit represents a deeply serious and legitimate legal grievance. The claims are rooted in the documented loss of sensitive financial data for over 8.2 million people and a verifiable pattern of unauthorized transactions that cost users dearly. The allegations of delayed notification and inadequate security point to clear corporate negligence that had severe, real-world consequences. In a digital economy where consumers are required to surrender vast amounts of personal information to participate, lawsuits like this are one of the few remaining tools to challenge the immense power imbalance between individuals and the corporations that profit from their data. It is a necessary, if ultimately insufficient, attempt to demand accountability in a system that provides very little of it.
Click on this link to join the class action settlement and grab yourself a tiny portion of their enormous revenue.
Here is another article on a different CashApp controversy, but this one was them using its users as slave labor to do marketing for the giant company: https://evilcorporations.com/corporate-misconduct-cash-app-spam-lawsuit-analysis/
đź’ˇ Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
NOTE:
This website is facing massive amounts of headwind trying to procure the lawsuits relating to corporate misconduct. We are being pimp-slapped by a quadruple whammy:
- The Trump regime's reversal of the laws & regulations meant to protect us is making it so victims are no longer filing lawsuits for shit which was previously illegal.
- Donald Trump's defunding of regulatory agencies led to the frequency of enforcement actions severely decreasing. What's more, the quality of the enforcement actions has also plummeted.
- The GOP's insistence on cutting the healthcare funding for millions of Americans in order to give their billionaire donors additional tax cuts has recently shut the government down. This government shut down has also impacted the aforementioned defunded agencies capabilities to crack down on evil-doers. Donald Trump has since threatened to make these agency shutdowns permanent on account of them being "democrat agencies".
- My access to the LexisNexis legal research platform got revoked. This isn't related to Trump or anything, but it still hurt as I'm being forced to scrounge around public sources to find legal documents now. Sadge.
All four of these factors are severely limiting my ability to access stories of corporate misconduct.
Due to this, I have temporarily decreased the amount of articles published everyday from 5 down to 3, and I will also be publishing articles from previous years as I was fortunate enough to download a butt load of EPA documents back in 2022 and 2023 to make YouTube videos with.... This also means that you'll be seeing many more environmental violation stories going forward :3
Thank you for your attention to this matter,
Aleeia (owner and publisher of www.evilcorporations.com)
Also, can we talk about how ICE has a $170 billion annual budget, while the EPA-- which protects the air we breathe and water we drink-- barely clocks $4 billion? Just something to think about....
