Revolut mobile banking startup confirms data breach of 50,000 users
Digital banking startup Revolut confirmed it was hacked last week, exposing data on more than 50,000 customers around the world, including over 20,000 in Europe.
The company disclosed the breach on Friday to the state data protection agency of Lithuania, where the company holds a banking license.
London-based Revolut is UK’s most valuable fintech startup valued at $33 billion, according to Forbes. It has over 20 million users in 200 countries but is most popular in Europe and the UK.
The app was founded in 2015 by Russia-born Nikolay Storonsky and Ukraine-born Vlad Yatsenko. Among the startup’s investors are big-name funds like Tiger Global Management, SoftBank Vision Fund, and Credit Suisse.
The Revolut hack occurred the night of September 11, and affected just 0.16% of its customers, according to an email sent by the company to users who have been impacted by the attack.
In the email, shared with The Record by one of its readers based in Lithuania, the company said that it suffered “a highly targeted cyberattack from an unauthorized third party” that may have gained access to some of the user data for a short period of time.
The exposed information varies for different customers, according to the company, but mostly includes user names, addresses, emails, postal addresses, telephone numbers, and part of the payment card data.
The company reassured that no funds were stolen and no card details, PINs, or passwords were accessed.
Revolut told its users that it “immediately detected and isolated the cyberattack.” According to the breach disclosure to the Lithuanian data privacy regulator, the company has already initiated an internal investigation into the data breach.
The company also created a dedicated team to monitor exposed accounts. Users, however, don’t need to take any action and can use their cards normally, Revolut’s email said.
According to preliminary data shared by the company with the Lithuanian regulators, hackers obtained access to the Revolut database through social engineering — a method that tricks users into making security mistakes or giving away sensitive information.
The company warned that users affected by the cyberattack are “at increased risk of fraud” and advised them to be vigilant for any suspicious emails, phone calls, or messages.
Soon after the attack, one user who was not impacted, wrote on Twitter that he received a phishing SMS, allegedly from Revolut, saying that his credit card “has been frozen to prevent fraud.”
Soon after the revolut hack, revolut #smishing SMSs have started. @NiceNIC_NET @yandex @BleepinComputer @JCyberSec_ https://t.co/Pn4DnVaC8Z
— Report Smishing (@reportsmishing) September 18, 2022
In this message, the sender mentioned only part of the credit card number, as the full number, according to the company’s disclosure, is masked.
The company asked users to ignore messages that will ask for payment details or passwords. “Revolut will not call or text you regarding this incident,” according to the company’s email.
Some users on Reddit also reported that they saw messages with inappropriate language on the app’s support chat. Revolut replied that it's aware of those messages and is “taking steps to ensure this does not happen again.”
The company did not respond to an inquiry from The Record about the defacement attack and data breach.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.