The $58M Plaid Settlement Nobody Talks About

98 million people gave their bank passwords to plaid. most of them don't know what happened next.

the lawsuit

in 2022, plaid settled a $58 million class action lawsuit. the allegations: they took way more financial data than needed and designed their login screen to look like actual bank websites.

users thought they were typing passwords directly into their bank. nope. they were giving credentials to plaid, who then used them to scrape "one of the largest transactional data sets in the world."

the settlement covered anyone in the u.s. who connected accounts between january 2013 and november 2021. 98 million people.

what plaid had to do

as part of the settlement:

delete data: certain previously collected information had to be deleted.

improve transparency: better disclosures about what data they collect and why.

plaid portal: users can now see what apps are connected and manage permissions at my.plaid.com.

minimize collection: only grab what's actually needed going forward.

the real problem: fraud liability

here's what most people miss. when you give your bank password to a third party, you might void your fraud protection.

cibc explicitly states they won't be responsible for losses that result from sharing credentials with third parties.

bank of america warns: when you share login info with third-parties, they have the same access as you do, you can't control what they access, and they store your credentials which could be compromised.

some banks reserve the right to waive fraud reimbursement if you've linked your account to third-party apps. fraud happens after you connected plaid? tough luck. you violated terms of service.

bank TOS typically say: disclose your password to any third party, lose liability protections. doesn't matter if it's plaid or a random app.

oauth vs credential sharing

there's a better way: oauth.

old way (credential sharing): you type your bank password into plaid's interface. plaid stores it. plaid logs into your bank whenever they want. you hope they're secure.

oauth way: plaid redirects you to your actual bank website. you log in directly with your bank. bank gives plaid a secure token. plaid never sees your password.

oauth is how chase, capital one, and pnc work now. plaid partnered with okta in 2023 to push more banks toward oauth.

but plenty of banks still don't support it. those connections still use the old method: give plaid your password, cross your fingers.

has plaid improved?

since the lawsuit, they've made changes:

• better security measures: encrypted tokens, real-time notifications when new apps connect, device verification

• more transparency about data collection

• pushing banks to adopt oauth

• plaid portal so you can see what's connected

but the fundamental problem remains: if your bank doesn't support oauth, you're still sharing credentials. and that means you're still at risk of losing fraud protection.

why paperright doesn't use plaid

we built paperright to avoid this mess entirely. no plaid. no bank connections. no credential sharing.

manual entry only. you type your expenses. you control your data. your bank never knows we exist. you never void your fraud protection.

slower? yeah. but you keep liability protection and you don't hand your banking passwords to a data aggregator.

that's the tradeoff. automation vs. control. convenience vs. security.

we chose control.

98 million people gave up their passwords. most never got the $58 million settlement payout (divided among claimants, it wasn't much). most still don't know they might have voided their fraud protection.

convenience has a cost. sometimes that cost is your password and your legal protections.

try manual tracking instead: paperright.xyz