Chime Financial Class Action Lawsuit 2026, Were You Locked Out During the April Cyberattack?

Two Chime customers filed a class action lawsuit against Chime Financial on April 3, 2026, alleging a cyberattack on April 1, 2026 knocked the platform offline, locked thousands of users out of their accounts, and exposed personal data. No settlement exists yet and no claims process is open. This article explains what happened, who may be affected, and what steps you can take right now while the case is in early litigation.

Case Snapshot

Field	Detail
Lawsuit Type	Class action — data breach / negligence / CCPA violation
Defendant	Chime Financial Inc.
Case Name	Castaneda, et al. v. Chime Financial, Inc.
Case Number	4:26-cv-02924
Court	U.S. District Court for the Northern District of California
Date Filed	April 3, 2026
Lead Plaintiffs	Cindy Castaneda and Lauren Goodloe
Plaintiff Firm	Strauss Borrelli PLLC
Settlement Amount	None — litigation phase only
Claims Process Open	No
Proposed Class	All U.S. residents whose personal data the April 2026 breach compromised

Where This Case Stands Right Now

• The lawsuit was filed on April 3, 2026 — just two days after the cyberattack. It is in the earliest stage of federal litigation, with no judge assignment, discovery schedule, or trial date yet confirmed.
• No settlement has been negotiated, proposed, or approved. There is no claim form, no settlement website, and no money available to consumers at this time.
• Chime’s status page stated during the outage that card purchases and ATM transactions continued working normally and that customer funds and personal information were secure — a position the plaintiffs directly dispute in the complaint.

What Happened on April 1, 2026?

Chime Financial is a San Francisco-based fintech company that provides app-based checking and savings accounts, direct deposit, and debit card services to millions of Americans — many of whom use it as their only banking option. Unlike traditional banks, Chime has no physical branches. If the app or website goes down, customers have no backup way to access their money.

On April 1, 2026, a cybercriminal group called Team 313 — known for data theft and extortion — allegedly launched an attack on Chime’s servers. The group publicly claimed responsibility on its own leak site and across social media. Within hours of the attack beginning, reports of problems flooded outage-tracking platforms: by mid-morning, more than 5,000 users had reported issues on Downdetector, and that number climbed past 16,000 at the outage’s peak. Chime’s own status page confirmed a platform-wide service disruption and listed affected features including SpotMe, Pay Anyone, Mobile Check Deposit, MyPay, ACH transfers, dispute filing, and the mobile app itself.

Lead plaintiff Cindy Castaneda says she lost the ability to see updated balances in her checking and savings accounts during the outage. Co-plaintiff Lauren Goodloe says he logged in to pay his rent, saw a black screen displaying an outdated savings balance, and could not transfer money or pay bills. The lawsuit claims the outage impacted an estimated 20,000 or more users at its peak, and that because Chime operates with no physical locations, affected customers had absolutely no alternative way to access their funds.

Related article: Seattle Police Officers Sue the City Over Years of Carbon Monoxide Exposure at the West Precinct

What the Lawsuit Actually Alleges Against Chime

The plaintiffs argue Chime failed its customers in two distinct ways: it did not protect their data adequately before the attack, and it did not notify them properly after.

On the security side, the complaint alleges Chime’s cybersecurity protections fell short of multiple widely recognized standards — including FTC data security guidelines, the NIST Cybersecurity Framework, and CIS Critical Security Controls — despite Chime’s own privacy notice stating it maintains safeguards designed to protect customer data. Plaintiffs argue that collecting and storing sensitive personal and financial information while failing to protect it adequately is itself a harm to consumers.

On notification, the lawsuit claims Chime failed to alert affected customers within a reasonable time after learning of the breach. That delay, plaintiffs argue, prevented users from taking basic protective steps — changing passwords, monitoring accounts for fraud, or placing alerts with credit bureaus — at the moment those measures would have mattered most. The complaint also states that Team 313 has already published or will soon publish stolen personally identifiable information on the dark web, though Chime has not confirmed any data was actually exfiltrated.

The Eight Legal Claims Filed Against Chime

The complaint brings the following causes of action against Chime Financial Inc.:

• Negligence — Chime failed to use reasonable care to protect customer data against foreseeable cyberattacks
• Negligence per se — Chime violated statutory duties that courts treat as automatic evidence of negligence
• Breach of implied contract — Customers provided their personal data in exchange for an implied promise of adequate security, which Chime allegedly broke
• Breach of the implied covenant of good faith and fair dealing — Chime undermined the reasonable expectations customers had when opening accounts
• Unjust enrichment — Chime collected, monetized, and profited from customer data while failing to provide the security protections it implicitly promised
• Violation of California’s Unfair Competition Law — Chime engaged in unlawful and unfair business practices under California Business and Professions Code
• Violation of the California Consumer Privacy Act (CCPA) — Chime failed to implement and maintain reasonable security for unencrypted personal information as required by California law
• Declaratory judgment — Plaintiffs ask the court to formally establish Chime’s ongoing data security obligations going forward

The plaintiffs seek compensatory damages, punitive damages, restitution, injunctive relief requiring Chime to upgrade its security practices, and attorneys’ fees.

Who Could Be Part of This Lawsuit?

The proposed class covers all U.S. residents whose personally identifiable information was compromised in the April 2026 cyberattack. Because the class definition is still proposed — no court has certified it yet — the exact boundaries will be shaped by the litigation as it progresses.

You may fall within the proposed class if:

• You are a Chime customer whose account was affected during the April 1, 2026 outage
• You could not access your Chime account, view balances, transfer funds, or use Chime services during the disruption
• You received a notification from Chime about the April 2026 incident, or have reason to believe your personal data was exposed
• You experienced any financial harm — missed payments, late fees, inability to access direct deposits — as a result of the outage

No action is required to join a class action at this stage. If a settlement is eventually reached and approved, class members typically receive notice by mail or email with instructions on how to file a claim.

What You Should Do Right Now

No money is available and no claim form exists today. But the steps you take right now can protect you and strengthen any future claim you may have.

Monitor your Chime account closely. Check for any transactions or account changes you did not authorize. Report anything suspicious to Chime directly and document what you find.

Change your Chime password and enable two-factor authentication. If Team 313 accessed any account credentials, changing your password immediately limits further exposure.

Place a fraud alert or credit freeze. Contact the three major credit bureaus — Equifax, Experian, and TransUnion — to place a free fraud alert or credit freeze on your file. A credit freeze prevents new accounts from being opened in your name. This is especially important if the complaint is correct that stolen data may appear on the dark web.

Keep records of any harm you experienced. Save screenshots of error messages, document missed payments or late fees caused by the outage, and note any time you spent dealing with the disruption. This documentation may support a future damages claim.

Check for a breach notification letter from Chime. If Chime sends you a formal notification that your personal information was involved in the breach, keep that letter. It is typically the clearest evidence of your inclusion in a future class.

If you have used other app-based financial platforms and are concerned about how data breaches at digital banks work, our coverage of the Chime and Cash App fintech lawsuit settlements and payouts explains how regulatory enforcement against Chime has worked in prior cases. For a recent example of how a similar cyberattack against an app-based financial institution led to a resolved class action, see the full details of the Patelco Credit Union $7.25M data breach settlement — a case that followed nearly the same fact pattern and shows what the resolution process can look like for affected customers.

Frequently Asked Questions

Can I file a claim against Chime right now?

 No. There is no settlement, no claim form, and no claims process open at this time. The lawsuit was filed on April 3, 2026, and is in the earliest stage of federal litigation. If a settlement is eventually reached, this page will be updated with claim filing information.

Do I need to do anything to be included in the class action?

 Not right now. Class actions automatically include all people who meet the class definition — you do not need to sign up or register. If the case settles, class members typically receive notice by mail or email explaining how to file a claim. The only active step right now is to document any harm you experienced.

Is Chime saying customer data was stolen? 

As of April 7, 2026, Chime’s status page stated that customer funds and personal information were secure during the outage. The plaintiffs dispute this and allege Team 313 has already published or plans to publish stolen data on the dark web. Chime has not confirmed any data exfiltration. This factual dispute is central to the litigation.

Who is Team 313?

 Team 313 is a cybercriminal group known for data theft and extortion. They publicly claimed responsibility for the April 1 attack on Chime’s servers via their own leak site and social media accounts. The group’s involvement has not been independently verified by Chime or confirmed through official law enforcement channels as of the filing date.

How long will this lawsuit take to resolve? 

Data breach class actions at this early stage typically take one to three years to reach a settlement, depending on the complexity of discovery, whether the court certifies the class, and whether both sides negotiate a resolution. Some cases settle faster; others take longer or go to trial.

What if I missed payments or paid late fees because of the outage?

 Document everything. Save bank statements, screenshots of error messages, and any records showing fees or financial harm that resulted directly from your inability to access Chime on April 1, 2026. If a settlement is reached, documented out-of-pocket losses typically qualify for higher compensation than standard flat-rate payments.

Could this lawsuit result in Chime improving its security practices?

 Possibly. Alongside money damages, the plaintiffs specifically request injunctive relief — a court order requiring Chime to implement stronger cybersecurity safeguards. Courts sometimes grant this type of relief in data breach cases as part of a negotiated settlement, though outcomes vary.

Sources & References

1. Federal Court Docket: Castaneda, et al. v. Chime Financial, Inc., Case No. 4:26-cv-02924, U.S. District Court for the Northern District of California — PACERMonitor public docket
2. Chime Official Status Page (April 1, 2026 incident): status.chime.com

Last Updated: April 7, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.