November 3 data security incident
Late in the evening of November 3, we experienced a data security incident. An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.
The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We’re in the process of making appropriate disclosures to affected people.
We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.
We are in the process of making appropriate disclosures to affected individuals. The safety and security of your account is of the utmost importance to us and we will continue to monitor the security of our networks on a 24/7 basis.
We encourage you to enable two-factor authentication (2FA) with an authenticator app in the app to help protect your account. You can find out how to set up 2FA here.
Phishing scams are common and often fraudsters will impersonate financial firms. Here are several precautions and actions you can take to keep your account and information safe.
As a best practice, you should also use a unique password for your email account and turn on two-factor authentication. Double check the sender on emails with links, attachments, or where the sender is requesting sensitive actions or personal information. When possible, login directly via web browser or application instead of logging in via links.