An anonymous reader quotes a report from Motherboard: Hackers are breaking into unsuspecting victims' Cash App accounts, a massively popular payment app, and stealing hundreds of dollars, according to victims Motherboard spoke to. In one person's case, they said, Cash App has not reimbursed them for the stolen funds. "It's scary!" Liz Shelby, who said their son was a victim of the hacking, told Motherboard in an online chat. "My son saved up some cash for a small vacation with his grandma. We put it in his Cash App before he left. He called me on Aug. 9, and told me that his money was gone." Shelby said that after she looked at the account she found that someone else had logged into it and sent themselves the money. Shelby said she's been emailing Cash App support, without success. Marvis Herring, another target, told Motherboard that hackers attempted to steal $1,400, in the form of two installments of $700. In those cases, Herring believes his bank blocked the fraudulent transactions. Motherboard saw many other people reporting on social media that their Cash App accounts had been compromised in some way. "The main thing I thought was weird is that I went to change my account password and there really isn't a password for Cash App accounts," Herring added. When users sign up to Cash App, they can use either an email address or a phone number to open an account. After doing so, they receive a login code sent to either of those. On fraud websites, dark web marketplaces, and social media, multiple people appear to be selling login details associated with Cash App accounts. Some of these peoples' listings specify that the logs contain the email address and password for a linked email account. Some of the listings may be scams, but those on the dark web marketplaces come from fraudsters who have received positive feedback from alleged customers, according to the review system that is common on such sites. One listing for hacked Cash App accounts said the vendor has sold that specific item multiple times.

Fraudsters also appear to be offering Cash App accounts for another purpose: laundering money. Motherboard found multiple listings on a dark web marketplace offering these newly created and verified accounts. Cash App requires users to verify their identity to use some features, and this can require them providing their Social Security Number with the platform. These already verified accounts will allow fraudsters to buy Bitcoin through the Cash App without having to verify their identity, the listing suggests. [...] On its website, Cash App encourages users to make sure their linked email address has two-factor authentication enabled. The app also has an extra feature called Security Lock which means that each transfer requires the user to enter a PIN.

"Preventing fraud is critically important to Cash App. We continue to invest in and bolster fraud-fighting resources by both increasing staffing and adopting new technology. We are constantly improving systems and controls to help prevent, detect, and report bad activity on the platform," a Cash App spokesperson told Motherboard in a statement. "For those who believe they have fallen victim to an identity-theft or account take-over scams, we encourage them to reach out to Cash App Support where we will review the account in question. If deemed fraudulent, we will take the necessary action starting with account closure and disablement of all applicable products."