Financial Exposure: Rudder Inadvertently Shows Users Each Other's Bank Account Info

Hundreds of people who use personal financial monitoring service Rudder woke up this morning to find that their personal bank account, credit card, and other financial data was exposed to other users. One Rudder user, Angie Seaman, told us that she received not only her own daily financial update from Rudder, but also the financial update for about 300 other users (see screen shot above). And not only could she see what was in their emails, but she could click through to their accounts. Seaman was understandably shocked and closed her account (see her full e-mail below). Plenty of other users have been complaining on Twitter as well.

I called up the company to find out what happened. Chief financial officer Nikunj Somaiya confirms that 732 accounts were compromised, or about 3.5 percent of active users. Members whose email start with the letters “a,” “b,” or a number had their account information shared before the company noticed and shut down all e-mail updates. Somaiya says, “We realize this is very sensitive information. We are extremely sorry.” But he also notes, “We get read-only access to balances and transaction. We don’t even store your banking user name and password. We can’t touch your money, nobody can move your money.” Yeah, but hundreds of Rudder members might now know how much other users have in their bank accounts.

It could have been worse. Rudder only lets members keep track of their financial accounts and balances in one place. It doesn’t allow people to access the underlying accounts. It doesn’t show passwords or social security numbers or even real names—unless, of course, you use your real name as your email address, which many people do.

So how did this happen? Rudder’s emails were getting caught up as spam by Yahoo, so all of its users with Yahoo Mail accounts weren’t getting any updates. After talking with Yahoo, Rudder added a new DomainKeys Identified Mail (DKMI) component to its outgoing emails last night which adds a signature to each email that verifies it is coming from a valid domain. But for some reason, “instead of separating the emails, it appended them together,” explains Somaiya. So those 732 users received not only their own financial updates, but also all of the updates from the appended accounts.

Somaiya says Rudder is bringing in a security consultant to go over their procedures and will implement any and all suggestions. But it might be too late. When it comes to personal finance, trust is everything, even if it is just your financial data you are entrusting to a site and not actual transactional capabilities. Will Rudder be able to bounce back from this breach? And will competitors such as Mint also be tarnished with doubt, or will they be able to capitalize on Rudder’s misstep?

Here is Angie Seaman’s email to us:

I’m not sure if you’ve heard this one yet, but this morning I woke up to a really unpleasant surprise. I had several hundred email updates from Rudder, only one was actually intended to be delivered to me.

The rest were to other users. Yes, I got about 300 users’ daily financial update information. I think I would have gotten more had I not deleted my account when it started happening. I got mostly email addresses that started with “a” and “b.” That’s shocking enough. I cancelled my account right away, but then wondered–can these people access my account?

So I clicked on one of the emails I received and lo and behold, it logged me right in as them. Obviously I didn’t do anything with their account but I could have.

There isn’t address information or full account numbers, but it’s pretty unreal that I was able to just access about 300 other users’ personal banking details. I don’t think they wanted me to know they’ll have like $1.83 left at the end of the month and I don’t really want them to know my info.

Update: As a precautionary measure, the company will be offering a free identity-theft service to all compromised Rudder members.