Chime Was Hacked. Here's What Users Actually Lost.

April 1, 2026. Just before 1 p.m. Eastern, Chime went dark.

Users trying to log in hit blank screens. Balances showed figures from days earlier or nothing at all. ACH transfers stalled mid-process. And because Chime is an app-only neobank with no physical branches and no tellers to call, roughly 20,000 members had no fallback. Their only bank was simply unavailable.

The attacker, according to federal lawsuits now pending in California: Team 313, an Iran-linked hacktivist group calling itself “The Islamic Cyber Resistance in Iraq.” They claimed to have knocked Chime offline and stolen customer data in the process. Chime denied both. Three class action suits were filed within three weeks.

The data theft question is genuinely unresolved. But there’s a more important question underneath it: what does any of this mean for the tens of millions of people who bank with a neobank?

At a Glance

Date April 1, 2026, ~1 p.m. Eastern
Attacker Team 313 (Iran-linked hacktivist group)
Users affected ~20,000 at peak
Chime’s position DDoS on marketing site + separate internal app issue; no data stolen
Lawsuit claims SSNs, addresses, credentials, government IDs stolen; inadequate security
Lawsuits pending 3 class actions in U.S. District Court, Northern District of California
FDIC coverage Deposits up to $250K if the bank fails
FDIC blind spot Lockouts, stolen PII, identity theft costs, late payment fees


Date	April 1, 2026, ~1 p.m. Eastern
Attacker	Team 313 (Iran-linked hacktivist group)
Users affected	~20,000 at peak
Chime’s position	DDoS on marketing site + separate internal app issue; no data stolen
Lawsuit claims	SSNs, addresses, credentials, government IDs stolen; inadequate security
Lawsuits pending	3 class actions in U.S. District Court, Northern District of California
FDIC coverage	Deposits up to $250K if the bank fails
FDIC blind spot	Lockouts, stolen PII, identity theft costs, late payment fees

What Actually Happened

According to Banking Dive, the disruption involved two separate issues Chime later described as unrelated: a DDoS attack—flooding servers with traffic until they buckle—that hit Chime’s marketing website, and an internal technical problem that simultaneously knocked out the app.

On the status page, Chime posted that “the money in your account and your personal information are secure” and that “the threat actor did not steal any customer data.” A spokesperson told reporters the attack affected “only our marketing website” with “no impact to member information.”

Team 313’s version: they breached Chime’s systems, exfiltrated customer records, and published the hack as a political statement. The group operates primarily for attention and geopolitical messaging—the name has been variously interpreted as referencing Islamic tradition—and the group has a documented track record of exaggerating or fabricating breach claims.

No independent forensic investigation has confirmed data exfiltration. The lawsuits were filed based on plaintiffs’ personal experiences of account lockout and on Team 313’s unverified public statements.

That doesn’t mean everything is fine. It means the data theft question is unresolved. What’s not in dispute is the lockout—that happened, DownDetector tracked 6,600+ user problem reports, and Chime’s own status page confirmed it.

The Gap FDIC Insurance Was Never Designed to Fill

FDIC insurance protects your deposits—up to $250,000—if the bank that holds your money fails and closes. Chime is FDIC-insured through Stride Bank, N.A. and The Bancorp Bank, both Member FDIC. That coverage is real. If Chime itself collapsed tomorrow, your deposited funds would be federally protected.

FDIC insurance doesn’t protect you if a hacker locks you out of your account for three days. It doesn’t reimburse a late rent payment caused by a blocked ACH transfer. It doesn’t cover identity theft costs if your SSN was in a database that got exfiltrated. It doesn’t pay for credit monitoring, legal fees, or the hours spent trying to reach support at a bank with no branches.

This distinction matters, and most coverage of neobank security glosses over it. “FDIC-insured” answers one question—is my deposited money safe if the bank closes?—while leaving a completely different set of risks unaddressed.

What Users Actually Lost

Based on the class action complaints filed in U.S. District Court for the Northern District of California, affected users reported:

Being unable to log in for hours to multiple days
Seeing outdated or frozen balances
Having ACH transfers stall with no resolution timeline
No access to funds, with no physical branch as a workaround
At least one documented late rent payment among the named plaintiffs
Anxiety and sleep disruption—yes, both appear in the complaints

The money stayed put. As far as any public evidence shows, no funds were moved out of accounts. Your balance, if you were a Chime customer on April 1, almost certainly remained intact.

What potentially left the building is a different matter. The lawsuits allege Team 313 accessed Social Security numbers, dates of birth, government-issued IDs, email addresses, postal addresses, phone numbers, and account login credentials. Chime disputes this. The truth is still being litigated.

The Class Action Lawsuits

Three complaints were filed in quick succession, according to American Banker:

April 3 — Cindy Castaneda and Lauren Goodloe file the first class action in the Northern District of California
April 7 — A second complaint filed
April 17 — A third complaint filed

The core allegations across all three: Chime failed to implement adequate cybersecurity measures before the attack, and failed to formally notify affected customers afterward. Top Class Actions is tracking all three cases if you want to follow the litigation.

Chime has called the allegations “without merit.” No settlement has been negotiated. These cases are in early litigation—class action timelines are measured in years.

One nuance worth keeping: class actions get filed fast. The bar for filing is “we have standing to argue harm,” not “we’ve proven it.” Whether these cases survive motions to dismiss, reach discovery, or settle is a different question. The existence of lawsuits tells you the legal mechanism is in motion, not that Chime is definitively liable.

What Should Chime Users Do After the April 2026 Breach?

If you’re a Chime customer—or any neobank customer—here’s the action list:

Check for exposure. Go to haveibeenpwned.com and enter your email. If your address appears in known breach databases, credentials from this or any past breach may be in circulation.
Change your Chime password if you haven’t since April 1. Use a password manager to generate a unique one. If you’ve reused that password elsewhere, change those accounts too.
Enable two-factor authentication. Chime supports 2FA through the app. Use an authenticator app (Google Authenticator, Authy) rather than SMS—SIM-swapping attacks can intercept text codes.
Place credit freezes. Free at Equifax, Experian, and TransUnion. If your SSN was in the alleged exfiltration, this is the most effective block against new accounts being opened in your name. Unfreeze temporarily when you need to apply for credit.
Turn on transaction alerts. A push notification for every Chime transaction is the fastest way to catch unauthorized use. If you’re not getting them, go turn them on now.
Monitor your credit reports. Free options include Credit Karma (TransUnion and Equifax) and Experian’s free tier. If you want more complete coverage, the best credit monitoring apps of 2026 run from free to about $15/month.
Check lawsuit participation eligibility. If you were locked out on April 1, you may qualify for the pending class actions. TopClassActions.com has enrollment details as they become available.

What the Attack Doesn’t Mean

Team 313 is a messaging operation, not a sophisticated financial theft ring. DDoS attacks (their primary tool) flood servers with traffic until they stop responding. Disruptive. Not the same as the kind of sustained, stealthy intrusion designed to quietly drain accounts.

The lawsuit allegations of data theft are serious and worth watching as discovery unfolds. But they rest on Team 313’s own claims, which the group is known to inflate. Until independent forensic analysis or the court discovery process surfaces actual evidence, “Chime was hacked” is accurate and “your SSN was definitely stolen” is not yet established.

Those are two very different statements, and most of the alarming headlines in April didn’t distinguish between them.

The Bigger Problem Neobanks Haven’t Solved

The Chime outage isn’t isolated. It’s a preview of the structural risk in app-only banking.

When a traditional bank’s website gets hit by a DDoS attack, customers walk into a branch, call an 800 number, or use an ATM card. When Chime’s app went dark on April 1, the options were: wait, or call customer support and also wait. No physical backup. No alternative access method. The concentration of service delivery into a single channel is the same feature that keeps overhead low and rates competitive. It’s also the reason 20,000 people couldn’t touch their money for hours.

The Trump fintech executive order signed earlier in 2026 gestures toward more regulatory oversight of fintech security. The practical effect remains unclear. Regulatory frameworks for neobank outage liability—what the institution owes you when you can’t access your money through no fault of your own—don’t exist in any meaningful form yet.

There’s also the durability question, which the Monzo US exit made concrete earlier this year. Chime went public in June 2025 (Nasdaq: CHYM) and is the largest US neobank by customer count. One disruptive attack from a hacktivist group doesn’t change that picture. But it does clarify what kind of risks FDIC insurance is and isn’t designed to handle.

The Chime Prime review covered Chime’s security posture in detail—the FDIC structure, the neobank durability question, the Visa debit dispute resolution timeline. None of that changed after April 1. What changed is that the abstract risk of app-only banking briefly became very concrete for 20,000 people.

If you’ve been meaning to set up a fraud protection stack and haven’t gotten around to it, this is the reminder.

The Bottom Line

The lockout was real. The disruption was real. The anxiety of tens of thousands of people who couldn’t access their only bank account mid-day on a Wednesday—that’s real.

Whether Team 313 actually exfiltrated data is unresolved. The lawsuit discovery process will either surface evidence or the central allegation will collapse. Either way, that answer is years away.

What you should take from this is narrower and more actionable than the headlines suggest: FDIC insurance and operational security are different things. Your deposits are federally protected if Chime fails as a business. They are not protected if the app goes dark for three days, if your SSN gets traded on a dark web forum, or if someone opens a credit card in your name six months from now.

The simplest hedge: a backup checking account at a different institution. Most online checking accounts take 10 minutes to open and have no fees. It’s not sophisticated advice. It’s the kind of thing that turns a three-day access crisis into a minor inconvenience.

Take the protective steps above. Watch the lawsuits. And if April 1 clarified that your financial setup has no backup plan when the app goes down—build one before you need it.

Information current as of May 2026. The three class action lawsuits are in early litigation; no settlement has been negotiated or approved. Verify current security guidance and account terms at chime.com.