MoneyLion was hit by a series of credential stuffing attacks in the summer of 2021.
The fintech company, launched in 2013, helps more than 8.5 million Americans to manage their money with services like borrowing, saving, and investing.
In credential stuffing attacks, attackers collect large sets of username/password combinations that were leaked following security breaches. These usernames and passwords are then used to access other users’ accounts.
“MoneyLion promptly started an investigation and determined that a very limited number of accounts were potentially impacted. Similar activity occurred again between July 13 – 16, and once again between July 27 – 30,” the company said in a data breach notice.
The attackers were limited to accessing accounts of customers of Money Lion. The company’s systems were not breached.
“Through our investigation, we have determined that an unauthorized outside party appears to have been attempting to gain access to your account on the application using an account password and/or possibly email address that appear to have been potentially compromised in a prior event on another site unrelated to MoneyLion.”
MoneyLion did not find evidence of the details of the victims affected by the incidents were obtained from the company’s servers. However, the company admitted that “it does appear that an unauthorized outside party” used leaked passwords to access user accounts.
The company denied that its customers’ Social Security Number, driver license numbers, and payment information or debit cards leaked in the incident.
MoneyLion locked the affected customers’ accounts and forced the users to reset their credentials. The company has also added multi-factor authentication (MFA) for all accounts:
“Additionally, as you may be aware, we also have implemented additional multi-factor authentication for all accounts,” MoneyLion added. “As always, we recommend that you remain vigilant to fraud and that you always use unique passwords for all websites and applications – and update those passwords often, storing them in a secure location.”