Be Secure Online Blog

Revolut data hack : What you need to know

Cyberattack steals & exposes the data of over 50,000 customers

data hack,phishing, revolut hack, revolut breach, revolut hacked, internet safety, cyber security,
Founders of Ukrainian FinTech giant Revolut - Nikolay Storonsky, CEO and Vlad Yatsenko CTO

A cyberattack exposing the data of over 50,000 customers has hit Revolut, putting people at risk from identity theft and fraud. Revolut identified the cyber attack very late on Sunday, 11 September, claiming the breach affected less than 1% of its customer base. Personal data, including customer contact details and account data, had already been stolen.

Nikolay Storonsky, CEO and Vlad Yatsenko CTO started Revolut in Ukraine in 2015. They now have 5,000 employees worldwide. The pair have a keen eye for publicity. For example, Mr Yatsenko gave the RTE Toy Shop €1.1 million on Christmas 2021 after a service issue with the App in Ireland.

They want to develop the world's first financial super app: They have offices in New York, Tokyo, Madrid, Barcelona, Paris, Mexico City, Berlin, Budapest and Bucharest. 


Revolut now has over 20 million active daily users. The UK, with 4.8 million users, is the biggest market. Ireland, Romania and Lithuania have very high usage. The Irish use 'Revolut' as a verb meaning to transfer money.

Check out KnowBe4 cyber security awareness training!

Netflix for Cyber Security

How to Change Password in Revolut

All the experts recommend changing your passwords in these cases. Here is how to do that

  • Open Revolut Business mobile app (black icon)
  • Tap 'Forgot your passcode? '
  • Enter your email address and continue.
  • You must open the email on the same device to reset your passcode.

What Revolut customer data was exposed?

The State Data Protection Inspectorate published details of the data breach this week, the Lithuanian authority responsible for data protection. The Bank of Lithuania licenses and regulates Revolut as an EU member. Ukraine is not in the EU. 

It said they breached access to the Revolut database through social engineering. For example, an employee falls victim to a phishing scam and accidentally sharing a password. 

The breach hacked the data 50,150 customers, though no passwords or card Pins were accessible. The data exposed varied for different customers, but the list includes: contact details (name, email, phone number, postal address); partial debit card data (card numbers were masked and therefore unusable); account data (such as past transactions); and details of their device and last known IP address.

Revolut is working with the Information Commissioner's Office in the UK, and other regulators and authorities. 

data hack,phishing, revolut hack, revolut breach, revolut hacked, internet safety, cyber security,
Hack hit Revolut's reputation hard. People are unhappy with customer support and lack of clear details. 

Revolut apology for data beach

Revolut said; ‘Revolut recently experienced a highly targeted cyber attack. This resulted in an unauthorised third party getting access to the details of a small percentage (0.16%) of our customers. 

'We immediately identified and isolated the attack to effectively limit its impact and have contacted customers affected. Customers who have not received an email have not been impacted. 

'To be clear, no funds have been accessed or stolen. Our customers’ money is safe - as it has always been. All customers can continue to use their cards and accounts as normal.

'We take incidents such as these incredibly seriously, and we would like to sincerely apologise to any customers who have been affected by this incident, as the safety of our customers and their data is our top priority at Revolut.’

What did Revolut tell their data breach victims?

Revolut has contacted some customers affected by email, telling them that a special operations team will manage their accounts to ensure their money and data remain safe. 

Affected customers do not need to take any specific action and can continue to use their cards and accounts as usual. Keep an eye out for suspicious activity, including suspicious emails, phone calls, or text messages.

Revolut will contact customers by phone or text asking for security codes or login data, so any attempts to access information in this way are fraudsters. 

Meanwhile, on Reddit

Reddit devotees smell a canard as always. One user claimed to have been affected by the incident, and shared details of an email they received stating the “isolated incident” saw Revolut take “immediate action to properly manage...and protect [its] customers”. 

The email also reassured its recipient that their data, money and account were all safe and further advised them to be “especially vigilant for any suspicious activity, including suspicious emails, phone calls or messages”.

Other Reddit users criticised Revolut for only emailing its affected customers rather than making a public statement. Others criticised the non-specific language used in the email, saying that they “just want to know what data was leaked”. Many commented on the low level of customer service.

Fraud, Phishing and identity theft

It’s likely that cybercriminals will increase phishing attempts in the wake of this attack, so all Revolut customers should be on high alert for texts and emails that may contain malicious links. 

Scammers may also pose as Revolut fraud staff on the phone, to trick customers into divulging security details. Treat all phone calls about the data breach as potential fraud. 

Your name, address, and date of birth are enough information for criminals to open bank accounts, get credit cards, loans and state benefits, and order goods as you. 

In the aftermath of a data breach, keep a close eye on your post, and check your bank and credit card statements regularly. Set up any available bank alerts to notify you of activity on your accounts. 

You can also take more direct steps to prevent fraudsters from using your details:

Place a fraud alert on your credit report with any of the three UK credit reference agencies, Experian, TransUnion, or Equifax. This means any lender processing a credit application in your name will know that you may be a victim of fraud or identity theft, and they will take extra steps to verify the applicant is really you before moving ahead with the application. When you add a fraud alert to one credit report, it is applied to your credit reports at all three credit reference agencies, so you only need to do this once. 

Articles of Interest

Articles, links and connections from the BeSecureOnline site you might find interesting.    

8 good reasons to use a proper password manager

Ransomware - To pay or not to pay - Ransomware

German Insurer Allianz says  - Businesses fear a catastrophic IT failure the most

Cybersecurity Essentials for Business

Comments are closed for this post, but if you have spotted an error or have additional info that you think should be in this post, feel free to contact us.


Get the latest updates in your email box automatically.