When cloud finance apps
failed their users

Mint was one of the most popular free budgeting apps in the world. In November 2023, Intuit — the company that owns Mint — announced it was shutting down the service effective January 1, 2024. Users had a short window to export their data manually as a CSV file. Anyone who missed that window, or who had financial history older than three years, lost that data permanently. There was no migration tool that preserved budgets, categories, or historical insights. Users who had trusted Mint with a decade of financial records had no recourse.

You may have never heard of Plaid, but if you used Mint, YNAB, Personal Capital, Venmo, Cash App, or Coinbase, Plaid was quietly sitting in the middle of your bank connection. Plaid used login screens that mimicked your real bank's interface to capture your full banking credentials. It then used those credentials to pull far more transaction history than you authorized — and shared that data with third parties. A federal class action lawsuit was filed, and a judge approved a $58 million settlement in 2022. Plaid agreed to change its practices and give users more control over their data.

Expensify marketed its SmartScan feature as an AI-powered tool that automatically reads and categorizes your expense receipts. In 2017, it was revealed that the "AI" was actually human workers on Amazon Mechanical Turk — a crowdsourced marketplace — manually reading and transcribing customers' receipts. Those receipts contained names, home addresses, hotel bookings, medical receipts, boarding passes, and signatures. A bug then made some of those receipts publicly visible on the platform. The CEO confirmed that non-paying users' receipts were being processed by strangers without any disclosure in the product.

NCR Corp. runs the online banking software used by hundreds of financial institutions. In late 2019, NCR blocked both Mint and QuickBooks from its platform after a wave of automated bank account takeovers. Attackers had discovered that the persistent connections these apps maintain with banks — connections created when you link your bank account — could be exploited to silently monitor balances and then drain accounts. The attacks ran in automated cycles, targeting a new victim every 5 to 10 minutes, for 12-hour stretches at a time.

In multiple documented incidents between 2021 and 2025, attackers used a technique called credential stuffing — taking username and password combinations leaked from unrelated data breaches and trying them on TurboTax accounts. When a match was found, attackers gained access to complete tax returns containing Social Security numbers, full names, home addresses, salaries, and financial deductions. Intuit stated there was "no breach of Intuit systems," but multiple state Attorney General filings confirm that users' tax data was repeatedly accessed without authorization.

On August 14, 2019, Credit Karma users began reporting on Reddit and Twitter that when they logged in, they were seeing someone else's account — full credit card details, balances, credit scores, and financial history belonging to a complete stranger. Some users reported that logging out and back in again showed them yet another stranger's account, as if they were spinning a roulette wheel through other people's financial lives. Credit Karma called it a "technical malfunction" and declined to say how many users were affected. With approximately 100 million users at the time, even a fraction of a percent represents hundreds of thousands of people.