Plaid Inc. is a financial services and technology company that provides secure portals for sharing banking data with other apps, such as budgeting, payment and investing apps.
Most recently, Plaid and OpenAI announced a partnership that would allow users to link their bank accounts to ChatGPT for a new financial advice service.
The incident, which occurred in December 2024 was only recently discovered in April, 2026. The disclosure on the Maine Attorney General’s website found that the incident impacted 294 people, with the only description of the breach being “inadvertent disclosure.”
In a letter to those impacted, Plaid said that it conducted an investigation, which determined that the incident was not a cyber attack, but an internal technical issue related to phone number recycling.
“The Company conducted a thorough investigation and determined the issue stemmed from a phone carrier practice called number “recycling” — when a mobile carrier reassigns a disconnected phone number to a new person. The investigation identified that, in rare cases, this may have resulted in a mismatch of some Plaid accounts tied to those phone numbers,” the notice reads.
“As a result, it was possible that certain profile information relating to the prior owner of the phone number may have been visible to the new owner.”
“The Company conducted a comprehensive evaluation to determine the user accounts and nature of information that may have been involved and to confirm contact information for those individuals. This process was completed on or around April 22, 2026.
“Importantly, this incident was the result of a technical issue, not a malicious actor. However, the Company is notifying users who may have recently changed their phone number and whose information may have been involved with the technical issue to inform them of this issue.”
According to the release, the data revealed varied based on the service, but potentially included names, birth dates, addresses, driver’s licenses, Social Security numbers and “certain bank account details such as bank name and account numbers.”
Plaid said that bank login credentials were not compromised.
The company is now facing a potential class action for the incident, with US law firm Dapeer Law, P.A. inviting those impacted to join.
“Dapeer Law, P.A. is investigating a potential class action against Plaid Inc., a San Francisco-based financial-technology platform that connects consumer bank accounts to thousands of apps, on behalf of consumers whose personal and banking information may have been visible to the wrong individuals between December 25, 2024 and April 22, 2026 due to a phone-number recycling issue in Plaid's connection system,” the law firm wrote.
News of the incident comes just as OpenAI announced its partnership with Plaid for banking connectivity.
OpenAI announced that US-based Pro users of its ChatGPT generative AI will now be able to access a preview of a new “personal finance experience”, which will allow users to monitor spending and get suggestions on how to save.
“Now you can securely connect your financial accounts, see a dashboard of where your money is going, and ask ChatGPT questions grounded in your financial context – all while staying in control of your data. We’re starting with a preview to a smaller group so we can learn from real-world use, improve the experience, and expand thoughtfully,” OpenAI said.
While OpenAI has said the service is secure, with “financial memories” able to be deleted and accounts disconnected, experts have suggested that the service still comes with risks, which include revealing personal details and habits, enticing account theft by threat actors, and the lack of confirmation that the banking data will not be used for commercial purposes.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
