Fintech company Revolut has fallen victim to a data breach, with unknown phishing hackers compromising more than 50,000 customer accounts.
The breach occurred on Sept. 11, as Revolut responded swiftly to lessen the impact of the attack. Although the attack was mitigated by the next day, the threat actors already managed to compromise 50,150 accounts (0.16% of Revolut’s current install base).
In a letter shared with customers impacted by the breach, the fintech company said that the attack was highly targeted and those receiving the notice are now at “increased risk of fraud.”
“We recently received a highly targeted cyber attack from an unauthorized third party that may have gained access to some of your information for a short period of time,” Revolut said in its notice. “You do not need to take any action, however we wanted to let you know, and sincerely apologize for this incident.”
Revolut’s letter to impacted clients also said that “we want to reassure you that your data is now safe.”
However, according to the State Data Protection Inspectorate in Lithuania (where Revolut is licensed as a bank), hackers most likely obtained email addresses, full names, postal addresses, phone numbers, limited payment card data, and a variety of data related to the users’ accounts.
This confirmed that the clients impacted by the breach were at a higher risk for fraud and phishing attacks.
“We emphasize that no access was made to the theft of funds,” the company added. “Your money is safe, as always. You can use your card and account normally.”
While users’ funds should still be safe, Revolut recommended that they should still be “especially vigilant for any suspicious activity, including suspicious emails, phone calls or messages.”
“This was an isolated incident and the security of our customers’ accounts remains our top priority,” the fintech giant’s letter stated.
Additionally, Revolut apologetically told impacted clients that it wouldn’t be able to answer all of their questions with investigations still ongoing, and only promised to “be in touch shortly with further information if needed.”
However, Revolut maintained that no card details, PINs, or passwords were accessed as a result of the incident.