MoneyLion locks customer accounts after credential stuffing attacks

The banking and investing platform MoneyLion had to lock customer accounts that were breached in credential stuffing attacks over the summer, in June and July.

The fintech company has provided mobile banking services for borrowing, saving, and investing money to more than 8.5 million Americans since its launch in 2013.

In credential stuffing attacks, threat actors use large collections of username/password combinations leaked following security breaches of various online services to log into the victims’ user accounts on other online platforms. Such attacks commonly work particularly well against those who reuse their credentials for accounts on multiple sites.

The attackers’ end goal is to gain access to as many accounts as possible to steal sensitive info and money or to take over the identities of the accounts’ owners.

MoneyLion’s systems were not breached

“MoneyLion promptly started an investigation and determined that a very limited number of accounts were potentially impacted. Similar activity occurred again between July 13 – 16, and once again between July 27 – 30,” the company said in a data breach notice.

“Through our investigation, we have determined that an unauthorized outside party appears to have been attempting to gain access to your account on the application using an account password and/or possibly email address that appear to have been potentially compromised in a prior event on another site unrelated to MoneyLion.”

The attackers could only gain access to customers’ accounts but didn’t breach MoneyLion’s systems. 

The digital financial platform found no evidence that the credentials used in the attacks were obtained from MoneyLion’s servers.

MoneyLion also failed to find proof that the affected customers’ Social Security Number, driver license numbers, and payment information relating to linked bank accounts or debit cards were impacted in the incidents.

However, the company admitted that “it does appear that an unauthorized outside party” used their passwords to access their accounts.

Multi-factor authentication enabled for all accounts

In response to the attacks, MoneyLion locked the impacted customers’ accounts to force them to reset their credentials and notified them of the incident.

“Additionally, as you may be aware, we also have implemented additional multi-factor authentication for all accounts,” MoneyLion added.

“As always, we recommend that you remain vigilant to fraud and that you always use unique passwords for all websites and applications – and update those passwords often, storing them in a secure location.”

MoneyLion announced plans to become publicly traded after the completion of a business combination with Fusion Acquisition Corp, a transaction approved at a Fusion stockholders’ meeting on September 21.

A MoneyLion spokesperson was not immediately available for comment when BleepingComputer reached out earlier today.