Update: Chase has confirmed that this was indeed an issue and it has been fixed.
- We’re still investigating now, but at this point believe it was extremely limited in scope – Trish Wexler, spokesperson for JPMorgan
Wexler also went on to say that they know of no unauthorized transactions but would work with any customers to resolve any problems. It should be noted that there are reports of unauthorized transactions being made on people’s accounts who also logged in and saw somebody else’s account (see the original reddit post) this is contrary to the Chase statement.
There are some concerning reports coming out from customers with deposit accounts at Chase (seems to not be limited to only deposit accounts). To summarize the issue a number of people have logged into their accounts as normal, only to find that they have been logged into an entirely different person’s account (somebody they have no relation to). To make matters worse it seems that when you’re logged into somebody else’s account you’re able to make transfers and access other information. Some people have reported that they have logged into their own accounts only to find that unauthorized transactions have been made.
Reports first started to come in on reddit’s personal finance subreddit, but boarding area blogger fly and dine has also reported the same issue. It seems that this might be a caching related issue (something similar happened to Steam) and one of the causes is actually logging in, so I’d recommend that all readers avoid logging into their Chase accounts at this stage (although keep in mind that’s speculation at this stage). We’ve reached out to Chase for comment.
Additional reports/datapoints:
If you were affected, please share your story in the comments.
View Comments (68)
I wanted to check a payment that also showed up as a direct transfer from my Credit Union and was unable to log in to my Chase card account. But with Quicken, my password checked the account and showed it was OK. Still (today) my password is not working.
NOT resolved. My wife just had her online account blocked (online access only, my access is not blocked nor use of the account) for what they call suspicious activity. They cannot clarify more than that but claim her iPhone must have a virus or malware. I forwarded this article to my wife as well as an article from Bloomberg, and the Chase employees at the bank and telephone customer service had NO IDEA about this.
This was intentional for Chase as part of their new "Get to Know Your Neighbor!" program. The way it works is, every time you log in you are logged into a different "neighbor's" account. There you are free to poke around and "stay a spell" as their website's copy describes it. I, for one, think it's very sweet.
I've generally had good experiences with Chase, especially in their fraud prevention, but I'm not convinced of their security precautions in other areas. A few months ago, I logged in to find all my UR points (~90K) gone. I looked, and it said they were redeemed for a cruise, which I didn't book. I called Chase, and they couldn't explain how someone used them. I change my passwords regularly, use complex, unique ones, etc., so I was confused as well. Thankfully, they gave them back without a hassle, but I watch them like a hawk now.
As someone who works in the IT industry, I find the fact that this kind of "error" could remotely happen beyond my imagination. It's not a bug, it's a severe flaw in design that never should've happened. Even a CS major freshman would laugh their asses off. Seriously, authorities should investigate and dole out fines.
I didn't have any problem with Chase today, but now this afternoon Wells Fargo's site (on three major browsers) and Android app are all going ape when I try to go to the transfers and bill pay section. Does not inspire confidence.
I have not personally experienced any problems but based upon these responses, I reached out to my local Chase branch this morning. Not surprisingly, they knew nothing about this. I then spoke with Customer Support at the national level and after being transferred a couple of times, I spoke with someone who verified this was a widespread, known issue they were working to fix. He informed me that there was no way to protect my account; putting a fraud hold on it would not help. He had no time frame for a fix; he thought a complete national shutdown of the Chase network was imminent. I then spoke with my local branch rep again who assured me she would call me when the situation was resolved. I have yet to receive a call.
I think they know by now. Enough already.
??
This happened to me a couple months back when I tried to have my business credit card account linked with my personal account so that I could log in and view everything with a single online account.
After I requested they combine my online accounts, I logged in and confirmed that everything was good to go. However, the next day when I logged in, I no longer saw my personal CC accounts alongside my business account, but instead saw someone else's checking and Chase Slate account.
It took a solid week for them to straighten their shit out and they barely offered an apology. I tried to get them to offer me some UR points for my troubles but they didn't budge.I did save all of my communications with them though, so if we can get something out of them for this I'd be all for it. There was absolutely no sense of urgency on their part in getting back to me after I disclosed the breach, and it was absolutely unbelievable to me how long it took them to remedy the situation.
Logged in to my chase credit card account yesterday at 5:30pm AZ time - found myself in someone else's checking and savings account in Louisianna. Full access to all of their banking and personal information it appeared - Called Chase Immediately and they said they "knew about it and were working on a fix" - my question - WHY NOT SHUT DOWN WEB ACCESS while you fix it??? Logged in again and it went straight to my account. They need to let all their customers know about this.
since it was for an isolated group of people, its probably easier for them to let it slide and work on a fix instead of shutting down the website where they would get tens of thousands of calls.
It being easier doesn't make it the right decision. If people are getting unauthorized access to the account then you shut down log ins regardless of the number of complaints you'll get until it's fixed.
This reminds me of an issue with hotmail mobile back in the day. If I used a specific way of logging in to their mobile site and refreshed the page, I would be logged into a different user's email.
Had the hardest time getting in touch with the right team back them for them to fix it, but eventually in a few days they fixed it.