Chime Financial Class Action Lawsuit, 20,000 Users Locked Out After April 2026 Cyberattack Here Is What Is Happening
Chime Financial is facing a class action lawsuit filed in the U.S. District Court for the Northern District of California alleging the company failed to prevent an April 1, 2026 cyberattack that knocked its platform offline and exposed the personally identifiable information of an estimated 20,000 or more customers. The case was filed on April 3, 2026, just two days after the attack. No settlement exists, and no claims process is open.
| Field | Detail |
| Lawsuit Filed | April 3, 2026 |
| Defendant | Chime Financial, Inc. |
| Alleged Violation | Negligence, CCPA, breach of implied contract, unjust enrichment, California UCL |
| Who Is Affected | All U.S. residents whose PII was compromised in the April 2026 breach |
| Current Court Stage | Early litigation — no class certified, no discovery schedule set |
| Court & Jurisdiction | U.S. District Court for the Northern District of California, Case No. 3:26-cv-02924 |
| Lead Law Firm | Strauss Borrelli PLLC |
| Next Hearing Date | TBD — no hearing date has been scheduled as of filing |
| Official Case Website | TBD — no official case website has been created at this stage |
| Last Updated | May 1, 2026 |
What Is the Chime Lawsuit About? Castaneda et al. v. Chime Financial, Inc., No. 3:26-cv-02924
On April 1, 2026, a cybercriminal group called Team 313 — known for data theft and extortion — allegedly launched a coordinated attack against Chime’s internal servers. The group publicly claimed responsibility on its own dark web leak site and across social media within hours. Chime confirmed a platform-wide service disruption that same day, but maintained that customer funds and personal information remained secure throughout the outage.
The 33-page complaint tells a different story. Plaintiffs Cindy Castaneda and Lauren Goodloe, both Chime customers from California and Illinois respectively, allege the company acted with “wanton and reckless disregard” for the security of customer data. They say Chime fell short of multiple recognized cybersecurity standards, including FTC data security guidelines, the NIST Cybersecurity Framework, and CIS Critical Security Controls — all of which are widely adopted across the financial services industry.
The legal claims span negligence, negligence per se, breach of implied contract, unjust enrichment, violations of the California Consumer Privacy Act (CCPA), and violations of California’s Unfair Competition Law. The CCPA claim is particularly significant: California law gives consumers a private right of action when companies fail to maintain “reasonable security procedures and practices” and a breach results — with statutory damages ranging from $100 to $750 per consumer per incident. If you were a Chime customer and want to understand how data breach compensation works more broadly, the Citizens Bank data breach class action lawsuit provides a close parallel — another fintech case where a cybercriminal group breached financial data and customers are now awaiting litigation outcomes.
Are You Part of the Chime Class Action Lawsuit?
You do not need to do anything right now to be included. Class action lawsuits at this stage automatically cover everyone who fits the class definition — you do not sign up, and you do not file a form. Here is how to tell whether this lawsuit likely includes you:
You may be part of this class if:
- You are a U.S. resident who held a Chime account at the time of the April 1, 2026 cyberattack
- You could not access your Chime account, view balances, transfer funds, or use Chime services during the April 1 outage
- You received a notification from Chime about the April 2026 incident, or have reason to believe your personal data was exposed
- You experienced financial harm as a direct result of the outage — missed rent, late fees, inability to access your direct deposit, or inability to pay bills
- Your personally identifiable information (PII) — including your name, address, Social Security number, or banking details — may have been compromised in the breach
You are likely NOT included if:
- You are a Chime employee, director, or officer
- You did not have an active Chime account as of April 1, 2026
- You had a Chime account but experienced no disruption and received no breach notification
For those asking “am I part of the Chime class action lawsuit” — the short answer is: if you were a Chime customer on April 1, 2026 and your access was disrupted or your data was at risk, you are almost certainly in the proposed class. A judge will define the final class boundaries during certification proceedings. For a comparison of how class eligibility gets defined in similar fintech data breach cases, the Conduent data breach class action walked through nearly identical eligibility questions across 25 million+ affected users.
What Are Chime Plaintiffs Seeking in This Lawsuit?
The plaintiffs are not asking for a fixed settlement amount — none has been proposed. What they have asked the court to award is compensatory damages for out-of-pocket losses, punitive damages for what they characterize as reckless disregard for data security, and restitution. They are also seeking injunctive relief — a court order requiring Chime to materially upgrade its cybersecurity practices going forward.
The CCPA claim carries specific teeth here. With an estimated 20,000 or more affected users and statutory damages of $100 to $750 per consumer per incident, the potential exposure for Chime runs into the millions on that claim alone — before factoring in punitive damages or the negligence theory. Attorneys are also pursuing a declaratory judgment that would formally establish what security obligations Chime owes its customers under California law.
No money is available to consumers at this time. No claim form exists. If a settlement is eventually negotiated and approved, class members will receive notice by mail or email with instructions on filing — that process is likely at least one to three years away. Consulting a consumer rights lawyer about your individual circumstances is always an option if you believe your losses from this breach were particularly severe.
What Should You Do If You Were Affected by Chime?
Most Chime customers affected by the April 2026 breach do not need to take any legal action right now. The class action covers you automatically. But there are practical steps you should take today — steps that protect you now and strengthen your position if a settlement is ever reached.
- Save everything. Screenshot any error messages or locked-screen images you saw on April 1. Keep copies of any late fees, missed payment notices, or returned payment notices you received because you could not access your Chime funds during the outage. Save any breach notification or service disruption email Chime sent you — that is evidence of your class membership.
- Monitor your accounts. Check your Chime account and any linked bank accounts daily for unauthorized transactions. Set up transaction alerts if you have not already.
- Secure your profile. Change your Chime password now if you have not done so since April 1. Enable two-factor authentication if it is not already active on your account.
- Consider a credit freeze. Placing a free fraud alert or credit freeze with all three major credit bureaus — Equifax, Experian, and TransUnion — prevents new accounts from being opened in your name. A freeze costs nothing and can be lifted at any time.
- Monitor the case docket. Case No. 3:26-cv-02924 is publicly accessible on PACER at pacer.gov. Case updates, court rulings, and any eventual settlement notice will appear there first.
If you want to pursue an individual claim rather than wait for the class action, contact a data breach compensation attorney directly. A free legal consultation can help you understand whether your individual losses — financial harm, identity theft expenses, or documented fraud — are significant enough to warrant separate action.
Chime Class Action Lawsuit Timeline
| Milestone | Date |
| Team 313 Attack on Chime Servers | April 1, 2026 |
| Platform-Wide Outage at Peak | April 1, 2026 (est. 20,000+ users affected) |
| Lawsuit Filed (Castaneda et al.) | April 3, 2026 |
| Class Certification Motion | TBD — no motion has been filed yet |
| Last Major Court Ruling | TBD — case in earliest litigation stage |
| Next Scheduled Hearing | TBD — no hearing date set as of May 1, 2026 |
| Expected Settlement Timeline | TBD — data breach class actions of this type typically take one to three years to resolve |
Frequently Asked Questions About the Chime Class Action Lawsuit
Is there a class action lawsuit against Chime for the April 2026 data breach?
Yes. Castaneda et al. v. Chime Financial, Inc., Case No. 3:26-cv-02924, was filed on April 3, 2026 in the U.S. District Court for the Northern District of California. The case is in its earliest stage — no class has been certified and no settlement has been reached.
Do I need to do anything right now to be included in the Chime class action?
No. You do not need to sign up, register, or file anything at this stage. If a settlement is eventually approved, affected class members will receive notice by mail or email with instructions. The proposed class covers all U.S. residents whose PII was compromised in the April 2026 breach.
When will a settlement be reached in the Chime case?
No timeline is certain. Data breach class actions at this early stage — with no judge assignment and no discovery schedule confirmed — typically take one to three years to reach a negotiated settlement, and additional time after that for court approval and payment distribution. Do not expect a claims process in 2026.
Can I file my own lawsuit against Chime instead of waiting for the class action?
Yes. Any class member has the right to opt out of the class action and pursue an individual claim. This makes sense only if your personal losses — documented financial harm, identity theft expenses, or fraud charges — are significant enough to justify separate litigation. Speak with a class action lawsuit attorney for guidance specific to your situation.
How will I know if the Chime lawsuit settles?
The court is required to notify all known class members by mail or email before any settlement becomes final. You can also monitor Case No. 3:26-cv-02924 directly on PACER at pacer.gov, or watch for updates here on AllAboutLawyer.com as the case develops.
Did Chime confirm that data was stolen in the April 2026 breach?
No. As of the filing date, Chime’s position was that customer funds and personal information remained secure during the outage. The plaintiffs dispute this directly and allege Team 313 has already published or intends to publish stolen PII on the dark web. This factual dispute — whether data was actually exfiltrated — sits at the center of the litigation.
What law does the Chime lawsuit allege was violated?
The complaint alleges multiple violations, including the California Consumer Privacy Act (CCPA) for failure to maintain reasonable security for unencrypted personal information. The CCPA gives California consumers a private right of action with statutory damages of $100 to $750 per consumer per incident. The complaint also brings negligence and negligence per se claims under federal common law standards including FTC data security guidelines and the NIST Cybersecurity Framework.
What personal data is at risk from the Chime breach?
The complaint alleges that personally identifiable information — which may include names, addresses, Social Security numbers, banking account details, and other financial data — was potentially accessed or exfiltrated. Chime denies any data was stolen. Until a forensic investigation is completed and results are disclosed, the full scope of what was accessed remains disputed.
Sources & References
- Court Filing: Castaneda et al. v. Chime Financial, Inc., Case No. 3:26-cv-02924, U.S. District Court, Northern District of California (access via PACER)
- California Attorney General — California Consumer Privacy Act (CCPA)
- Federal Trade Commission — FTC Data Security Standards
Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against the official court complaint (Case No. 3:26-cv-02924) filed April 3, 2026, in the U.S. District Court for the Northern District of California. Last Updated: May 1, 2026
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah