Yes, Cash App users’ personal information was exposed in a significant data breach, and the company has agreed to pay $27.5 million in court-approved settlements to affected users. The primary settlement of $15 million addresses a data breach incident that occurred in April 2022 affecting Cash App Investing, followed by a broader security incident disclosed in October 2023. A federal judge granted final approval of the data breach settlement on March 27, 2025, and payments began rolling out to claimants starting in April 2025, with additional settlement payments distributed as recently as February 2026. This settlement represents one of several enforcement actions against Block, Inc.
(Cash App’s parent company) for various security and privacy failures. Beyond the initial $15 million data breach settlement, affected users are also eligible for compensation through a separate lawsuit addressing unsolicited spam text messages sent through Cash App’s referral program, with payments of $394.36 per approved claimant beginning in February 2026. Additionally, Block is distributing up to $120 million from a federal enforcement action to compensate fraud victims who were denied proper refunds—a distribution that requires no claim filing. As of June 2026, all claim deadlines for the data breach settlement have passed, meaning no new claims are being accepted. However, eligible users who submitted claims before the deadline may still be waiting for or processing their payments, making it important to understand how the settlement works and what compensation is available.
Table of Contents
- What Personal Information Was Exposed in the Cash App Data Breach?
- Timeline of the Cash App Security Incidents and Settlement Process
- How Much Can Cash App Users Claim From the Settlement?
- How to Verify Eligibility and What Happens to Your Claim
- Common Problems and Limitations of the Settlements
- The Spam Text Settlement and Additional Compensation
- The Federal Fraud Recovery Fund and Automatic Compensation
- Conclusion
What Personal Information Was Exposed in the Cash App Data Breach?
The data breach that triggered the $15 million settlement exposed sensitive personal information belonging to Cash App users, including names, email addresses, phone numbers, and other identifying details. The breach was not a single incident but rather encompassed two separate security events—the April 2022 incident affecting the Cash App Investing product and a broader breach discovered and publicly disclosed in October 2023. For example, a user might have discovered their email address and phone number were compromised, making them vulnerable to phishing attacks or identity theft attempts targeting Cash App account holders specifically. The scope of exposure varies depending on which incident affected the user.
Some individuals may have been impacted by only one breach, while others could have been exposed in both events, potentially compounding the risk to their personal information. Block did not disclose the exact number of users affected by each breach, but the settlement’s size suggests the exposure was substantial. This ambiguity is one limitation of the settlement: users are often uncertain whether their data was actually compromised or simply potentially at risk, yet the settlement compensates affected individuals regardless. The personal information exposed—particularly email addresses and phone numbers—is valuable to fraudsters and scammers who use such data to launch targeted attacks against financial services users. Victims of the breach have reported receiving phishing attempts and fraudulent communications pretending to be from Cash App or associated services, demonstrating a real-world consequence of the data exposure beyond mere privacy concerns.
Timeline of the Cash App Security Incidents and Settlement Process
Understanding when the breaches occurred and how long the settlement took to finalize helps illustrate the timeline of accountability for Cash App’s security failures. The April 2022 incident affected the Cash App Investing product specifically, exposing user data during a relatively contained security event. However, this initial incident did not immediately trigger a public settlement announcement. Instead, approximately eighteen months later in October 2023, Block disclosed a broader data breach, which appears to have prompted the lawsuit and subsequent settlement negotiations. The legal process moved relatively quickly once formal action began: the class action suit (Salinas v.
Block, Inc.) resulted in a settlement agreement, and the court granted final approval on March 27, 2025. This means the class certification, fairness hearing, and judicial review were all completed within roughly eighteen months of the public breach disclosure in October 2023. Once approved, payment processing began immediately, with electronic transfers starting April 10, 2025, and paper checks mailed beginning April 20, 2025. A significant limitation of this timeline is that users affected by the April 2022 breach waited approximately three years before receiving any compensation, during which their data remained compromised and circulating in criminal networks. The settlement also led to a separate enforcement action at the federal level, resulting in the $120 million federal fund for fraud victims—an action that appears to have been negotiated in parallel with the class settlement rather than as a follow-up.
How Much Can Cash App Users Claim From the Settlement?
The $15 million data breach settlement is divided among all eligible claimants, meaning individual payouts depend on how many people filed claims and whether they were approved. Unlike some settlements with fixed per-person amounts, the Cash App data breach settlement operates on a pro-rata distribution basis, where the settlement fund is divided among all valid claimants. For comparison, in a settlement where 500,000 eligible users file claims, each person would receive approximately $30 before any administrative costs. In reality, the actual per-person amount is typically lower due to claims administration fees, attorney compensation, and case costs. The companion settlement addressing spam texts functions differently, offering a fixed $394.36 per approved claimant.
This represents a more predictable payout structure that users can understand in advance. The spam text settlement compensates users for Cash App’s violation of Washington state law by substantially assisting in the transmission of unsolicited commercial text messages through the platform’s Invite Friends referral program—a specific product feature that enabled harassment at scale. Importantly, there is a major distinction between the claim-based settlements and the federal fraud recovery fund: the $120 million federal fund is distributed automatically to fraud victims who were denied proper refunds by Cash App, with no claim filing required. This means eligible users don’t need to take action to receive compensation from this fund; Block is identifying qualifying transactions and distributing funds proactively. A downside is that the criteria for this federal fund are narrower and more specific than the general data breach settlement, so not all breach victims qualify.
How to Verify Eligibility and What Happens to Your Claim
If you believe you were affected by either the April 2022 or October 2023 Cash App data breach, determining eligibility for the settlement requires understanding the claim process and deadlines. As of June 2026, all claim deadlines have passed for the data breach settlement, meaning no new claims are being accepted. However, users who filed claims before the deadline may still be in various stages of payment processing, particularly if they had claims that required additional verification or adjustment. To check the status of a submitted claim, affected users should visit the official settlement administrator’s website associated with the Salinas v. Block case or the official Cash App Security Settlement website (cashappsecuritysettlement.com). These sites maintain records of approved claims and payment status.
If you have already received your payment, you can confirm the amount matched the settlement’s pro-rata calculation. If you have not yet received payment and believe you filed a valid claim before the deadline, documenting your claim submission date and claim number is important for following up with the settlement administrator. For the spam text settlement (Bottoms v. Block), users who submitted claims before the deadline began receiving the fixed $394.36 payout starting February 2, 2026. The criteria for this settlement are whether the user was a Cash App customer who received unsolicited spam text messages through the referral program. One practical challenge is that many users may not have associated the spam messages they received with the referral program or may not have saved documentation, making it harder to recall whether they qualify.
Common Problems and Limitations of the Settlements
One significant limitation of the data breach settlement is that eligible users cannot opt out and receive no compensation if claims administration is mishandled. The pro-rata distribution model, while fair in theory, often results in very small per-person payouts—sometimes as little as $5 to $50 per claimant depending on claim volume. In the Cash App case, the relatively modest settlement size ($15 million) divided among potentially hundreds of thousands of affected users results in payments that many claim administrators have reported are insufficient to meaningfully compensate individuals for the inconvenience, credit monitoring costs, and identity theft risks posed by the exposure. Another limitation is the claim filing process itself, which required users to take action to participate rather than being automatically enrolled. Some affected users were unaware of the breach or the settlement opportunity and missed the deadline entirely.
Even users who filed claims sometimes experienced delays in payment processing, confusion about payment status, or situations where claims were initially rejected due to incomplete information. Additionally, the settlement does not include any free credit monitoring or identity theft protection services—compensation is cash-based only, leaving users responsible for their own fraud prevention measures. A critical downside is that the settlements do not include any admission of wrongdoing by Block, nor do they require the company to implement specific security improvements or enhanced data protection practices going forward. The settlements are framed as a resolution without judgment, meaning they do not establish that Cash App’s security practices were inadequate. This raises a legitimate concern about whether the financial penalty is substantial enough to incentivize real security improvements or whether it will be treated as a cost of doing business.
The Spam Text Settlement and Additional Compensation
The Bottoms v. Block spam text settlement represents a distinct but related enforcement action addressing a specific problem: Cash App’s Invite Friends referral program enabled users to send unsolicited commercial text messages to contacts, violating Washington state’s anti-spam laws. Rather than Block preventing abusive use of the referral feature, the company substantially assisted in the transmission of these messages by providing the platform and functionality.
Users who received spam text messages promoting Cash App through this program became the class and are eligible for $394.36 per approved claim. This settlement is notable because it addresses a different harm than the data breach itself—the issue is not exposure of information but rather unwanted marketing communications sent at scale. For example, a user who received dozens of referral spam messages from Cash App friends might qualify for multiple claims if the company’s claims process permits aggregation. Payments from this settlement began February 2, 2026, and all claim deadlines have passed, though approved claimants may still be receiving distributions if the payout process is being conducted in phases.
The Federal Fraud Recovery Fund and Automatic Compensation
Beyond the class action settlements, Block is distributing up to $120 million from a federal enforcement action to compensate users who were victims of fraud and were denied proper refunds by Cash App. This fund is distinct because it requires no claim filing; instead, Block is identifying eligible transactions automatically and distributing compensation without requiring users to take action. This represents a different approach than the class settlement, where active participation was necessary.
The federal fraud fund targets a specific category of harm: users who reported fraudulent transactions, requested refunds, and were improperly denied by Cash App. This is a narrower group than all users affected by the data breach, but for those who qualify, the compensation is automatic. As of June 2026, distributions from this fund have been ongoing, though the total amount ultimately distributed will depend on how many qualifying fraud claims Block identifies in its review of past transactions.
Conclusion
Cash App users affected by the April 2022 and October 2023 data breaches have access to $27.5 million in court-approved settlements, though all claim deadlines have passed as of June 2026. The primary $15 million data breach settlement (Salinas v. Block) operated on a pro-rata basis, meaning individual payouts depend on the total number of approved claims—typically resulting in modest per-person compensation. Additionally, affected users may be eligible for $394.36 from the spam text settlement (Bottoms v. Block) if they received unsolicited promotional messages through Cash App’s referral program, with payments that began in February 2026.
Block is also automatically distributing up to $120 million from a federal enforcement action to fraud victims who were denied proper refunds, requiring no claim filing. If you believe you were affected by either the Cash App data breach or spam text issues, check the status of any claims you may have filed by visiting the official settlement administrator websites or cashappsecuritysettlement.com. Since all claim deadlines have closed, no new claims can be submitted; however, approved claimants may still be receiving delayed payments. For users impacted by fraudulent transactions, monitor your account and any communications from Block regarding the federal fraud recovery fund, as compensation may be distributed automatically. Document any unreimbursed fraud losses for your records, as this information may be relevant if additional legal actions emerge related to Cash App’s security practices.