Chime Financial Class Action Lawsuit, Were Your Data and Account Access Compromised in the April 2026 Breach?

A class action lawsuit filed against Chime Financial in California federal court alleges the company failed to protect customers’ highly sensitive personal data during a data breach that struck the platform on April 1, 2026, leading to a widespread outage and leaving thousands of users unable to access their accounts or funds. Three separate class action lawsuits are now pending, all in the same court. No settlement exists. No claim form is open. This article covers what happened, whether you are affected, and what you should do right now.

Quick Facts: Chime Financial Data Breach Class Action

Field	Detail
Lawsuit Filed	April 3, 2026 (first suit); April 7 and April 17, 2026 (two additional suits)
Defendant	Chime Financial, Inc.
Alleged Violation	Negligence, breach of implied contract, California Consumer Privacy Act (CCPA), California Unfair Competition Law, negligence per se, unjust enrichment
Who Is Affected	All U.S. residents whose personally identifiable information (PII) was compromised in the April 2026 breach
Estimated Users Impacted	Approximately 20,000 users reported access issues at peak disruption
Data Allegedly Stolen	Social Security numbers, dates of birth, government-issued IDs, addresses, phone numbers, email addresses, account credentials
Current Court Stage	Three lawsuits pending — earliest stage of federal litigation; no class certification, no trial date
Court & Jurisdiction	U.S. District Court for the Northern District of California
Case Name & Number	Castaneda, et al. v. Chime Financial, Inc., Case No. 3:26-cv-02924 (lead case)
Plaintiff Law Firms	Strauss Borrelli (first complaint); additional firms filed April 7 and April 17 suits
Next Hearing Date	TBD — no schedule set yet
Settlement / Claim Form	None — no settlement exists, no claim form is open
Last Updated	May 8, 2026

What Is the Chime Financial Data Breach Lawsuit About?

On April 1, 2026, a cybercriminal group called Team 313, known for data theft and extortion, allegedly launched an attack on Chime’s servers. The group claimed responsibility on its own leak site and social media. At its peak, an estimated 20,000 users reported issues using Chime.

Within hours of the attack beginning, more than 5,000 users had reported issues on Downdetector, and that number climbed past 16,000 at the outage’s peak. Chime’s own status page confirmed a platform-wide service disruption and listed affected features including SpotMe, Pay Anyone, Mobile Check Deposit, MyPay, ACH transfers, dispute filing, and the mobile app itself.

The fintech acknowledged a service disruption on April 1, noting it was working to resolve an issue and assuring customers that “the money in your account and your personal information are secure.” The three class action lawsuits filed in response directly challenge that statement. The lawsuits allege that Team 313 breached Chime’s systems and stole Social Security numbers, dates of birth, government-issued IDs, and other personal information from customers.

The legal claims focus on two separate harms. First, plaintiffs allege their personal data was stolen — the kind of information that cannot be changed and that creates long-term identity theft risk. Second, they allege that Chime’s digital-only model left users with zero alternatives when the app went down. Because Chime operates entirely through its app and website with no physical branches, users depending on it as their primary banking option had no alternative way to access their funds.

The complaint alleges Chime fell short of several widely recognized standards, including Federal Trade Commission guidelines, the NIST Cybersecurity Framework, and CIS Critical Security Controls — despite its privacy notice stating it maintains safeguards designed to protect customer data.

This lawsuit does not arrive without context. In May 2024, the Consumer Financial Protection Bureau (CFPB) issued an enforcement order against Chime Financial, finding that Chime had failed to refund consumers’ account balances within 14 days in thousands of instances after their accounts were closed — including thousands of cases where Chime failed to issue refunds within 90 days. That prior regulatory action is part of the documented backdrop plaintiffs may use to argue a pattern of consumer harm. For more on how fintech companies have faced regulatory enforcement alongside data breach litigation, see our coverage of Chime and Cash App fintech lawsuit settlements and payouts on AllAboutLawyer.com.

Are You Part of the Chime Data Breach Class Action?

The plaintiffs are looking to represent anyone in the United States whose PII was compromised in the Chime data breach. Here is how to know if you are likely included.

You may be part of this class if you:

• Had an active Chime account on or around April 1, 2026
• Experienced login failures, a black screen, inability to view account balances, or could not transfer money or pay bills during the April 1 outage
• Received — or expect to receive — a data breach notification from Chime about your personal information
• Have noticed unauthorized credit card attempts, suspicious account activity, or alerts that your data may have appeared on the dark web since April 1, 2026
• Suffered a concrete financial harm due to the outage — such as a late rent payment, missed bill, or bank fee caused by your inability to access funds

You are likely NOT included if you:

• Had no Chime account and no personal data stored with Chime Financial
• Were not affected by the April 1, 2026 outage and received no notification of any breach

Among the plaintiffs, Michael Walsh reported receiving alerts regarding unauthorized credit card attempts and notification that his data appeared on the dark web. Other plaintiffs, including Cindy Castaneda and Lauren Goodloe, cited the inability to monitor balances or pay rent during the downtime.

Related article: SpindleHorse NLRB Labor Charge 2026, What Is Actually Happening With the Hazbin Hotel Studio

Chime has not confirmed that any data was actually exfiltrated. Multiple cybersecurity firms track Team 313 under different names — Void Manticore at Check Point, Storm-0842 at Microsoft, and BANISHED KITTEN at CrowdStrike. The threat advisory cited in the complaints notes that the group is known to exaggerate or fabricate breach claims. Whether data was actually stolen will be determined through forensic analysis and court discovery. The lawsuit does not depend entirely on confirmed exfiltration — the CCPA negligence claims cover the failure to prevent the attack and the resulting loss of account access.

For comparison, a similar cyberattack against an app-based financial institution — the Patelco Credit Union data breach class action — followed nearly the same fact pattern and resulted in a $7.25 million settlement. That case shows what the resolution process can look like for affected customers.

What Are Chime Plaintiffs Seeking in This Lawsuit?

This is not a settlement — no money is available right now.

Plaintiffs are suing for negligence and negligence per se, alleging Chime failed to use reasonable care in protecting customer data. They also allege breach of implied contract and breach of the implied covenant of good faith and fair dealing, claiming Chime promised data protections it did not deliver. Additional claims include unjust enrichment, violation of California’s Unfair Competition Law, and violation of the California Consumer Privacy Act, citing Chime’s failure to maintain reasonable security for unencrypted personal information.

The CCPA claim carries real financial teeth. California’s privacy law gives consumers a private right of action when companies fail to maintain reasonable security procedures and a data breach results. Statutory damages range from $100 to $750 per consumer per incident — and with 20,000 or more affected users, that math adds up fast.

The litigation also highlights potential exposure under the SEC’s 2023 cybersecurity-disclosure rule, which requires public companies to report material incidents within four business days. As of May 4, 2026, Chime has not filed a notice of a material incident with federal regulators.

What Should You Do If You Were Affected by Chime?

You do not need to file anything or contact anyone right now to preserve your place in any future class action. Class members are automatically included if they meet the eligibility criteria when the case is certified.

Here is what you should do right now:

• Change your Chime password and turn on two-factor authentication immediately. If Team 313 accessed account credentials, changing your password limits further exposure.
• Place a fraud alert or credit freeze at all three major credit bureaus. Contact Equifax (equifax.com), Experian (experian.com), and TransUnion (transunion.com). A credit freeze is free and prevents new accounts from being opened in your name — especially important if stolen data appears on the dark web.
• Monitor your accounts closely. Set up transaction alerts. Check for unauthorized charges daily. Report anything suspicious to Chime and your card issuer immediately.
• Document everything. Save screenshots of error messages from April 1. Record any late fees, missed payments, or financial harm you suffered because you could not access your account. This documentation will support a future damages claim.
• Watch for a breach notification letter from Chime. Plaintiffs allege Chime has not yet formally notified affected customers of the breach, leaving them to suffer losses without the information needed to protect themselves. If a letter arrives, keep it.
• Consult a data privacy attorney if you suffered significant harm. A free legal consultation with a data breach compensation attorney can help you decide whether to pursue an individual claim alongside or instead of the class action.
• Do not pay anyone to join this lawsuit. Class membership is free and automatic.

Chime Data Breach Lawsuit Timeline

Milestone	Date
Cyberattack on Chime servers	April 1, 2026
Platform-wide outage peaks (est. 20,000 users affected)	April 1, 2026
Chime states customer data is secure on status page	April 1, 2026
First class action filed (Castaneda et al.)	April 3, 2026
Second class action filed (Porter)	April 7, 2026
Third class action filed (Walsh)	April 17, 2026
CFPB prior enforcement order against Chime	May 7, 2024
Class certification motion	TBD — not yet filed
Discovery begins	TBD — not yet scheduled
Expected settlement timeline	TBD — data breach class actions of this type typically take 1–3 years to resolve

Frequently Asked Questions

Is there a class action lawsuit against Chime Financial?

 Yes. Three proposed class action lawsuits are now pending in the U.S. District Court for the Northern District of California, all alleging that Chime Financial failed to protect customer data during a cyberattack on April 1, 2026. The lead case is Castaneda, et al. v. Chime Financial, Inc., Case No. 3:26-cv-02924.

Do I need to do anything right now to be included in the lawsuit?

 No. You do not need to sign up, register, or contact anyone to be included. If the court certifies a class, all eligible Chime customers whose data was compromised will be automatically included. Save records of any harm you experienced and take the protective steps listed above.

When will a settlement be reached in the Chime data breach case? 

No settlement timeline exists yet. The lawsuits were filed in April 2026 and are in the earliest phase of federal litigation. Data breach class actions of this complexity typically take one to three years to settle, depending on class certification, discovery, and negotiation. This page will be updated as the case progresses.

What personal data was allegedly stolen in the Chime breach?

 The lawsuits allege that the breach exposed personally identifiable information, including but not limited to Social Security numbers, postal and email addresses, phone numbers, and account credentials. Additional allegations include stolen dates of birth and government-issued IDs. Chime disputes that any data was actually exfiltrated.

Can I file my own lawsuit against Chime instead of joining the class action? 

Yes. Anyone with significant individual damages can pursue a separate claim. A consumer rights lawyer experienced in data breach compensation cases can evaluate whether an individual lawsuit makes more sense than waiting for a class action settlement. A free legal consultation is the right first step.

How will I know if the Chime lawsuit settles?

 If a settlement is reached and receives court approval, the settlement administrator will send notice to class members by email and mail. You can also monitor the case docket at pacer.gov using case number 3:26-cv-02924. This article will be updated with settlement details if and when they are announced.

What did the CFPB do to Chime before this lawsuit?

 In May 2024, the CFPB issued an enforcement order against Chime, finding that Chime failed to refund consumers’ remaining account balances within 14 days after accounts were closed — in thousands of instances, including cases where refunds were not issued within 90 days. This left customers unable to pay for basic living expenses. That prior action is relevant context for the current litigation.

Does Chime dispute the breach?

 Chime told customers during the April 1 outage that their money and personal information were secure — directly contradicting the breach allegations now in court. The Hawkeye advisory cited in all three complaints notes that Team 313 is known to exaggerate or fabricate breach claims. The factual dispute over whether data was actually stolen is central to the litigation and will be resolved through forensic discovery.

Sources & References

• Court Complaint: Castaneda, et al. v. Chime Financial, Inc., Case No. 3:26-cv-02924, U.S. District Court for the Northern District of California — PACER.gov
• American Banker: “Customers Sue Chime Over Alleged Iran-Linked Hack,” May 4, 2026
• Banking Dive: “Hacktivist Group Stole Chime Customer Information, Lawsuits Allege,” May 6, 2026
• Consumer Financial Protection Bureau: Chime Financial Enforcement Order, May 7, 2024

Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against filed court complaints, American Banker reporting, Banking Dive coverage, and the CFPB enforcement record on May 8, 2026. Last Updated: May 8, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Chime Financial denies that any customer data was stolen. All allegations in the lawsuits described above are unproven claims; the defendants are presumed innocent unless and until a court finds otherwise. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding your particular situation, consult a qualified attorney.