Multiple Chase.com customers have reported logging in to their bank accounts, only to be presented with another customer’s bank account details. Chase has acknowledged the incident, saying it was caused by an internal “glitch” Wednesday evening that did not involve any kind of hacking attempt or cyber attack.
Trish Wexler, director of communications for the retail side of JP Morgan Chase, said the incident happened Wednesday evening, for “a pretty limited number of customers” between 6:30 pm and 9 pm ET who “sporadically during that time while logged in to chase.com could see someone else’s account details.”
“We know for sure the glitch was on our end, not from a malicious actor,” Wexler said, noting that Chase is still trying to determine how many customers may have been affected. “We’re going through Tweets from customers and making sure that if anyone is calling us with issues we’re working one on one with customers. If you see suspicious activity you should give us a call.”
Wexler urged customers to “practice good security hygiene” by regularly reviewing their account statements, and promptly reporting any discrepancies. She said Chase is still working to determine the precise cause of the mix-up, and that there have been no reports of JPMC commercial customers seeing the account information of other customers.
“This was all on our side,” Wexler said. “I don’t know what did happen yet but I know what didn’t happen. What happened last night was 100 percent not the result of anything malicious.”
The account mix-up was documented on Wednesday by Fly & Dine, an online publication that chronicles the airline food industry. Fly & Dine included screenshots of one of their writer’s spouses logged into the account of a fellow Chase customer with an Amazon and Chase card and a balance of more than $16,000.
Kenneth White, a security researcher and director of the Open Crypto Audit Project, said the reports he’s seen on Twitter and elsewhere suggested the screwup was somehow related to the bank’s mobile apps. He also said the Chase retail banking app offered an update first thing Thursday morning.
Chase says the oddity occurred for both chase.com and users of the Chase mobile app.
“We don’t have any evidence it was related to any update,” Wexler said.
“There’s only so many kind of logic errors where Kenn logs in and sees Brian’s account,” White said. “It can be a devil to track down because every single time someone logs in it’s a roll of the dice — maybe they get something in the warmed up cache or they get a new hit. It’s tricky to debug, but this is like as bad as it gets in terms of screwup of the app.”
White said the incident is reminiscent of a similar glitch at online game giant Steam, which caused many customers to see account information for other Steam users for a few hours. He said he suspects the problem was a configuration error someplace within Chase.com “caching servers,” which are designed to ease the load on a Web application by periodically storing some common graphical elements on the page — such as images, videos and GIFs.
“The images, the site banner, all that’s fine to be cached, but you never want to cache active content or raw data coming back,” White said. “If you’re CNN, you’re probably caching all the content on the homepage. But for a banking app that has access to live data, you never want that to be cached.”
“It’s fairly easy to fix once you identify the problem,” he added. “I can imagine just getting the basics of the core issue [for Chase] would be kind of tricky and might mean a lot of non techies calling your Tier 1 support people.”
Update, 8:10 p.m. ET: Added comment from Chase about the incident affecting both mobile device and Web browser users.
Perhaps it’s just me (being an apostrophe freak) but I parsed “one of their writers’ spouse” as “one of their writer’s spouses”…
No. But “the spouse of one of their writers” would have worked.
It would be more reassuring if they used 2FA for every login.
2FA wouldn’t have helped; it was a backend issue. “Fred logs in; we know it’s Fred. But we’re showing Harry’s data”. 2FA would not stop that.
Agree work in the financial software biz this was a session-state loss seen it happen before big news when it happens to a Chase.
It’s interesting. Did I misread it, Brian, the only affected people were the ones using their mobile app, right? And whoever used the desktop web browser did not experience the bug? If so, there’s a bigger issue at play there. Cachinng server glitch would not explain why it wouldn’t propagate the same bug to the desktop site. What may be the cause here is that all processing of customer logins were done on a client side by the mobile app. Which is REALLY REALLY bad if that is the case. But hey, that has been done before, right 🙂
Yes, Chase has said it affected both browser users and mobile app users.
This really sounds like some session ID cache re-use issue. Chase is one of the biggest consumer banks in the US and they revamped their backend a few years back to be more API driven. All it would require is some b0rken memcached or similar layer to cause this type of issue.
I work for a middleware software company and have been to no less than 5 different financial institutions in the last 18 years that were affected by user’s seeing other user’s data. A couple of the cases were due to the session id cache entry not being properly cleared before reuse (one was an internally app managed session id cache, the other was the middleware product) then the other 3+ cases were all due to session id mishandling by the application where they did not understand multi-threaded programming (which is a complex topic) and thus introduced a bug into the app. The latter problem always occurred after a new version of the application was deployed and the failback was to revert to the previous version of the application. These problems are difficult to troubleshoot and reproduce in test as it only affects a very small part of the user population (being a timing issue so the timing had to be just right to hit the bug). More sophisticated middleware application servers have automated session crossover detection now so I’m a bit surprised that as many user’s detected the bug because running on a modern app server they should have seen the bug in the logs and immediately failed back to the previous app version. So maybe they moved to some open source platform as they tend to not have such robust capabilities as session crossover.
Shouldn’t the session id cache entry have a large enough id number (2^64) that any given id number would not be reused for at least a thousand years? That sounds like basic programming to me!
The session id may be different but the block of memory it is using is what is corrupt (containing someone else’s info). So the id may not be reused in thousands of years but the same block of memory gets reused over and over. Thus the “cache”.
So the block of memory (that contained some sensitive information) wasn’t cleared before being freed? Now *that* is a basic programming blunder.
Exactly what I suspected.One can put all the authentication and security on transport buy if the session handling is shodduy, it’s the end !
I just received a letter from Chase stating that they were sorry for giving incorrect information on my 1098 and would be sending an updated and correct 1098 by March 15th. The next paragraph stated, in the same non-chalant wording, that they were also sorry to have mailed a copy of my previous 1098 to another individual, with my name and account information on it. The letter stated that the information release was not concerning. Basically, stating that it wasn’t serious because it didn’t include my social security number. Strangely similar to the current online issues, huh? Also, last week I received a letter from Chase with my address but another person’s name. I thought it was strange, but put it back in the mail box return to sender, no person by that name at this address.
“Weller urged customers to “practice good security hygiene” by regularly reviewing their account statements, and promptly reporting any discrepancies. ”
Classic company response…push the resonsibility onto the customer even if the company makes the mistake.
Sudhakar, your bank can’t verify 100%of all your transactions or decide on your behalf witch are fraudulent and witch aren’t, so if you wish to have a better user experience work with your bank as a team. In case of fraud or any other financial loss, they are still liable.
Have you ever worked with a bank on fradulent transactions?
There are fradulent transactions caused by the bank itself including random fees but the bank won’t reimburse you if you don’t notice those within a certain timeframe.
With respect to the customer having to work with a bank on a UI, do you know the difference between a UI and the functionality. This is not an interface issue. This screw up is the direct result of the bank constantly cutting costs. Many software teams within Chase don’t have a separate QA. The developer will have to develop and the same person tests, deploys, validates with the end user, and supports the code.
Chase is not a mom and pop operation, it’s a $95 billion a year company but they cut costs every year. Many App Dev Mgrs have to decide every year which servers to decommission (just for cost cutting, not for technical upgrades). There is not a lot of lower level environments. The developer is at the bottom of the foodchain at Chase. Even the people doing deployment with zero technical skillset take advantage of developers’ misery eventhough they can’t even open a registry or a shared folder on their own and the developer has to sit thru the whole deployment and validation to instruct each action.
Chase’s way of development is to squeeze developers and then keep squeezing, make developer do everything including testing, and if there is an issue blame the developer.
While this is a tricky issue, if you have a proper application level testing, then integrated testing and then performance testing each by a different team it most certainly would have been caught before the release.
The problem is with their constant need for shoring up the bottom line by cost cutting even in a climate of healthly topline growth, many developers who could leave Chase have done so and the talented people remaining will have to play multiple roles to compensate for others who don’t know how do their jobs and the constant cost cutting from the bank.
Agree. During the time I spent with them, the managerial changes are almost always coup-styled. Someone from an unrelated industry will “impress” a top-level manager like a CTO and he will be given control of that unit – all managers in the whole lineup would be forced out (including those with decades of experience) and the new guy will bring in his people who usually don’t know anything technically. Those people then hire developers and others and you can imagine how that’d go. There is no due process at such a large bank. An enitre unit is treated like someone’s property. If you don’t or can’t involve in cutthroat office politics you can’t move up.
This is interesting, just this am I received one of those spam emails from what is supposed to be Chase Bank to verify my account info. The url of the site attached has no Chase name and I have no relationship with them. Just saying, coincidence???
Not a coincidence. Think about it. If you’re a scammer, this is the perfect time. Same reason you get an influx of spam mail selling official looking services when you buy a new house, get a new credit card, etc. You are temporarily primed to expect such communication and so, will be less likely to notice something amiss.
Titanic ship was build by chase manhatten bankers, to rid of the …opposite !! so its same team..trotsies
who knows what im talking they know, its all good in da hood
This isn’t Facebook…why bother commenting with nonsense?
Seriously if you have nothing to add to the discussion, don’t you have anything better to do?
i got nothing better to do, but i like to add something always 😀
im like internet troll,i like trolling and making others nervous:D i enjoy alot trolling:)
This isn’t Twitter**
my husbands account and my account (two different account numbers) were both hacked by venmo transactions totaling over $5000 on 2/20 – 2/21. No one at chase mentioned this issue when we called security regarding the hacks and no one mentioned this at the branch when we went in to freeze our accounts. So guess what – Chase loses the money involved and they also lose long time (over 25 years) customers.
How is Chase responsible if your Venmo accounts were hacked?
Venmo is owned by PayPal
Did you have the Chase accounts linked to Venmo?
No, the account was likely linked by the scammer. Chase wouldn’t have known it was fraud until Susan notified them. It appears she expected them to be clairvoyant.
I doubt these two things are connected.
I wouldn’t be so sure. I also had many Venmo transactions on my fairly NEW Chase account this morning. They were definitely fraudulent. I found this article while Googling the problem.
Users can check what systems have accessed their accounts in their “Manage Account Security” portion of their security settings. It tracks which devices accessed your accounts, and keep an eye out for any you don’t recognize. You can see any activity from the last 90 days. You can also turn on alerts to text you for account activity.
That would not help in the case of this “glitch”. I think the setting you reference only shows ” devices that logged in to your account, ” not “devices that accessed your account”.
The glitch described here was logging into one account and accessing another account.
The “Device Access History” specifically states: “Track which devices accessed your accounts, and keep an eye out for any you don’t recognize. You can see any activity from the last 90 days.”
That said, I don’t hold any hope that this screen will tell me if someone else accessed my account under these circumstances.
I would like to see an update from Chase letting us know if /when they determine which accounts may have been accessed and that they are notifying individual customers.
Additionally, I would like to see them specifically notify ALL of their customers about this “glitch.” It’s great to read about it through other online sources, but Chase needs to do this for all their customers to increase awareness.
You are probably correct that the device access history probably will not contain any entry related to the other user’s data. Thus the compromised user won’t know. I would guess device access history is only logged when the user logs into their account and it would have been the other user’s login instead of the one they are actually seeing on screen.
Chase blocked my credit card 3 times last week for so called “suspicious activity”. 1st time for doing business with a new to me merchant. 2nd and 3rd time for shopping at a grocery store where I had been using my credit card for over 30 years. Bottom line, Chase security is a joke! They have no clue as to what they are doing!
So good security is a joke? Maybe you can find another card that allows a bit of fraud!
No, good security is not a joke but Chase security IS. Blocking my personal transactions 3 times in 5 days is NOT good security! It is a JOKE! In over 40 years I’ve never experienced fraud on my cards because I practice “good security”. So feel free to practice your sarcasm else where!
I have a feeling I know who’s account that was that 16K in credit card balances..
Found a security vulnerability in the verification process :-). After failing twice to self identify you get prompted with the option of trying again in 72 hours. But if you back out to the page where it mentioned you failed the verification, click the “opt-in in person” and then at the bottom of the page click “verify online”. You get to try again for a third time. I cannot confirm, but maybe you have an unlimited number of tries…
Comment above placed in wrong article