{"took":164,"timed_out":false,"_shards":{"total":5,"successful":5,"skipped":0,"failed":0},"hits":{"total":{"value":16,"relation":"eq"},"max_score":null,"hits":[{"_index":"complaint-public-v1","_id":"14735158","_score":18.149324,"_source":{"product":"Checking or savings account","complaint_what_happened":"I am reporting a serious security flaw in Capital One 's online banking system. During a recent incident on XX/XX/year> at XXXX am ET, someone was able to initiate a password reset on my account and receive a one-time password ( OTP ) to a new mobile number, not previously registered with my account. \n\nCapital One 's online system allows a person to select use a new number for OTP delivery without verifying their identity through any trusted contact method already on file ( phone or email ). This is a major security issue and defeats the purpose of multi-factor authentication ( MFA ). \n\nI reported the issue through XXXX XXXX fraud and customer service teams. I also sent a formal letter to their corporate office, but they have not responded. When I requested logs of where the XXXX was sent in that particular incident, they refused to provide them and claimed my browser may have been hacked which does not explain how the XXXX was sent to a number I did not authorize.","date_sent_to_company":"2025-07-19T02:40:26.000Z","issue":"Managing an account","sub_product":"Checking account","zip_code":"75025","tags":null,"has_narrative":true,"complaint_id":"14735158","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"CAPITAL ONE FINANCIAL CORPORATION","date_received":"2025-07-19T02:17:15.000Z","state":"TX","company_public_response":null,"sub_issue":"Problem accessing account"},"highlight":{"complaint_what_happened":["This is a major <em>security</em> issue and defeats the purpose of multi-factor authentication ( MFA ). \n\nI reported the issue through <em>XXXX</em> <em>XXXX</em> fraud and customer service teams. I also sent a formal letter to their corporate office, but they have not responded. When I requested logs of where the <em>XXXX</em> was sent in that particular incident, they refused to provide them and claimed my <em>browser</em> may have been hacked which does not explain how the <em>XXXX</em> was sent to a number I did not authorize."]},"sort":[18.149324,"14735158"]},{"_index":"complaint-public-v1","_id":"9929628","_score":17.567019,"_source":{"product":"Credit reporting or other personal consumer reports","complaint_what_happened":"I would like to file a complain because I am not able to place a credit freeze with Equifax. This a service which Equifax is legally required to make available to me for free. Onerous authentication requirements make this service inaccessible to me. \n\nFirst I attempted to authenticate on the web site. I was able to create an account, but the site says, \" Please give us a call : We can't complete your request at this time. Please call the Customer Care team. '' I called the provided phone number, and the customer service representative tried to authenticate me, but the process failed because I do not have a smart phone capable of opening the Document Verification link. When I visited those links in my browser, the site said, \" The Document Verification Service should be launched in a mobile browser. '' The representative said there was not another way, so I expressed that I would like to file a complaint or speak to a supervisor or manager. He transferred me.\n\nThe supervisor offered to verify my identity by emailing me a link that required me to upload two documents, one showing my full Social Security Number ( SSN ) such as a pay stub, XXXX, or Social Security card, and another showing my current address such as a Driver 's License. Being in the middle of moving house, my Driver 's License no longer has my current address, but it does have the previous address, which is only two weeks out of date, and which I submitted with my account creation request on the web site. My employer does not include a full SSN on pay stubs or XXXX, and I was not able to locate a social security card. I believe I have never needed one before.\n\nI'm finding this authentication process to be onerous. The assumption that every consumer will have a smartphone with a mobile browser is flawed. And the requirements for documentation are excessive : they are more than my bank requires to approve me for a home mortgage, and they are more than any landlord has required to rent a home to me. \n\nThe supervisor confirmed there is no other option : I will have to wait for my bank to report the new address and/or obtain a social security card. But I don't want to wait that long due to the the recent XXXXXXXX XXXX XXXX XXXX \n\nI understand the need to protect consumer data from fraud, but if I can not freeze my file in the wake of a major data breach, the system is broken. \n\nThank you for reviewing this complaint.","date_sent_to_company":"2024-08-28T01:01:38.000Z","issue":"Problem with fraud alerts or security freezes","sub_product":"Credit reporting","zip_code":"95405","tags":null,"has_narrative":true,"complaint_id":"9929628","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"EQUIFAX, INC.","date_received":"2024-08-28T00:38:37.000Z","state":"CA","company_public_response":null,"sub_issue":null},"highlight":{"complaint_what_happened":["My employer does not include a full SSN on pay stubs or <em>XXXX</em>, and I was not able to locate a social <em>security</em> card. I believe I have never needed one before.\n\nI'm finding this authentication process to be onerous. The assumption that every consumer will have a smartphone with a mobile <em>browser</em> is <em>flawed</em>."],"issue":["Problem with fraud alerts or <em>security</em> freezes"]},"sort":[17.567019,"9929628"]},{"_index":"complaint-public-v1","_id":"2665749","_score":17.034628,"_source":{"product":"Credit reporting, credit repair services, or other personal consumer reports","complaint_what_happened":"XX/XX/XXXX : I used the link on Equifax to confirm if I may have been impacted by their cybersecurity breach announced on XX/XX/XXXX. I followed the instructions and received confirmation that I may have been impacted by the breach and to continue credit monitoring enrollment. I followed the instructions provided by Equifax, however the tool is highly flawed and sends me through a loop to enter my information, and then continue enrollment again. I have not been able to enroll in their tool to begin monitoring my credit and track any fraudulent changes caused by the Equifax breach. See screenshots for step by step notations and attachment with HTML supporting that \" CONTINUE ENROLLMENT '' has no further procedures for Consumers to enroll. I have the latest OS version, and the browsers have latest patches and proper plug-ins and settings enabled. I looked at the Web debugger and the Enrollment and Continue Enrollment Buttons are EMPTY! They do not have proper redirect to continue enrollment page AFTER it has validated Last Name and Social Security and XXXX. This is a false solution to consumers.","date_sent_to_company":"2017-09-08T10:09:48.000Z","issue":"Improper use of your report","sub_product":"Credit reporting","zip_code":"981XX","tags":null,"has_narrative":true,"complaint_id":"2665749","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"EQUIFAX, INC.","date_received":"2017-09-08T09:39:10.000Z","state":"WA","company_public_response":null,"sub_issue":"Reporting company used your report improperly"},"highlight":{"complaint_what_happened":["I have the latest OS version, and the <em>browsers</em> have latest patches and proper plug-ins and settings enabled. I looked at the Web debugger and the Enrollment and Continue Enrollment Buttons are EMPTY! They do not have proper redirect to continue enrollment page AFTER it has validated Last Name and Social <em>Security</em> and <em>XXXX</em>. This is a false solution to consumers."]},"sort":[17.034628,"2665749"]},{"_index":"complaint-public-v1","_id":"11137886","_score":14.916738,"_source":{"product":"Credit reporting or other personal consumer reports","complaint_what_happened":"I have been actively disputing multiple negative items on my credit reports, including XXXX instances of 30-day late payments, XXXX instances of 60-day late payments, XXXX instances of 90-day late payments, and XXXX instances of 120-day late payments. Despite my repeated efforts to resolve this matter, XXXX XXXX has continuously refused to assist, with investigations ending in the response, \" ultimately, there is nothing we can do. '' They have acknowledged fault on their recorded lines but have failed to take any corrective action, leaving me with a severely damaged credit score. This ongoing issue has significantly impacted my reputation and has prevented me from achieving personal goals I am entitled to as a responsible consumer. \n\nThe issue originates from a divorce in 2021, during which XXXX XXXX failed to notify me directly of any late or missed payments. Upon discovering these negative items on my credit report, I contacted XXXX XXXX to investigate the situation. I learned that my ex-wife was able to authenticate changes to my personal information, preventing XXXX XXXX from sending me important notifications or communications regarding the delinquencies. As a result, I was unaware of these issues until they appeared on my credit report while applying for a mortgage. I requested that XXXX XXXX review their recorded calls and confirm that I had not been in contact with them nor authenticated any information since 2021. They acknowledged that I had not communicated with them directly nor authenticated via their portal, yet they insisted it was still my responsibility to address the loan. \nCustomer service representatives have confirmed that my ex-wife was using the portal to make changes to my account without my knowledge or consent. Despite this, XXXX XXXX refuses to take responsibility or offer any resolution, citing my supposed acknowledgment of responsibility when signing up for the portalsomething I did not do. Furthermore, they have refused to accept neglect on their part for not implementing proper and effective authentication methods. \nI have provided XXXX XXXX with a copy of the Divorce Decree, which clearly states that my ex-wife was required to remove a vehicle I co-signed for from my name within 30 days. Although they initially confirmed that the Decree would warrant an investigation, they later informed me that there was nothing they could do. This indicates that, despite acknowledging fraud and validating my claims, XXXX XXXX has taken no action to resolve the matter. \nIn addition to these issues, I have discovered several critical security flaws with XXXX XXXX 's website and customer portal. These flaws expose personal data and make it vulnerable to unauthorized access. Some of the most concerning issues include : Outdated Software : XXXX XXXX is using XXXX XXXXXXXX, which is outdated. The current version is XXXX  This version contains known vulnerabilities that are patched in more recent versions, which XXXX XXXX has neglected to update. \n\nSimilarly, XXXX XXXX is outdated, with the current version being XXXX. This version is susceptible to vulnerabilities such as XXXX XXXX ( XXXX ) and other security flaws. \n\nMissing or Misconfigured HTTP Security Headers : The website and customer portal lacks proper implementation of Strict-Transport-Security ( HSTS ), which forces browsers to connect via HTTPS, leaving it vulnerable to man-in-the-middle ( MITM ) attacks. \n\nThere are also missing or misconfigured XXXX cookies, which expose the website to Cross-Site Request Forgery ( CSRF ) attacks, potentially allowing attackers to impersonate users and perform unauthorized actions. \n\nFailure to Protect Consumer Data : Despite emphasizing the protection of personal data through federal law-compliant security measures, XXXX XXXX XXXX lack of recent security audits and failure to implement up-to-date security practices raises serious concerns about their commitment to safeguarding consumer information. \nI am filing this complaint with the CFPB requesting that XXXX XXXX immediately provide proof of their most recent security audits and demonstrate the measures they have taken to protect customer data, as required by law. If XXXX XXXX refuses this request, I will ask that the Consumer Financial Protection Bureau ( CFPB ) consider this a clear indication of Credit Acceptances neglect and failure to protect their consumers at which point I will request that the complaint to be made public. I demand that XXXX XXXX remove the previous stated delinquencies from all three of my credit bureau reports based on the fact that XXXX XXXX has knowingly and willingly allowed fraud to take place via their customer portal and consistently refused to accommodate any requests that I have previously made.","date_sent_to_company":"2024-12-12T16:56:02.000Z","issue":"Problem with a company's investigation into an existing problem","sub_product":"Credit reporting","zip_code":"446XX","tags":null,"has_narrative":true,"complaint_id":"11137886","timely":"Yes","company_response":"Closed with non-monetary relief","submitted_via":"Web","company":"TRANSUNION INTERMEDIATE HOLDINGS, INC.","date_received":"2024-12-12T16:55:58.000Z","state":"OH","company_public_response":"Company has responded to the consumer and the CFPB and chooses not to provide a public response","sub_issue":"Their investigation did not fix an error on your report"},"highlight":{"complaint_what_happened":["This indicates that, despite acknowledging fraud and validating my claims, <em>XXXX</em> <em>XXXX</em> has taken no action to resolve the matter. \nIn addition to these issues, I have discovered several critical <em>security</em> <em>flaws</em> with <em>XXXX</em> <em>XXXX</em> 's website and customer portal. These <em>flaws</em> expose personal data and make it vulnerable to unauthorized access. Some of the most concerning issues include : Outdated Software : <em>XXXX</em> <em>XXXX</em> is using <em>XXXX</em> XXXXXXXX, which is outdated."]},"sort":[14.916738,"11137886"]},{"_index":"complaint-public-v1","_id":"11137885","_score":14.887364,"_source":{"product":"Credit reporting or other personal consumer reports","complaint_what_happened":"I have been actively disputing multiple negative items on my credit reports, including XXXX instances of 30-day late payments, XXXX instances of 60-day late payments, XXXX instances of 90-day late payments, and XXXX instances of 120-day late payments. Despite my repeated efforts to resolve this matter, XXXX XXXX has continuously refused to assist, with investigations ending in the response, \" ultimately, there is nothing we can do. '' They have acknowledged fault on their recorded lines but have failed to take any corrective action, leaving me with a severely damaged credit score. This ongoing issue has significantly impacted my reputation and has prevented me from achieving personal goals I am entitled to as a responsible consumer. \n\nThe issue originates from a divorce in 2021, during which XXXX XXXX failed to notify me directly of any late or missed payments. Upon discovering these negative items on my credit report, I contacted XXXX XXXX to investigate the situation. I learned that my ex-wife was able to authenticate changes to my personal information, preventing XXXX XXXX from sending me important notifications or communications regarding the delinquencies. As a result, I was unaware of these issues until they appeared on my credit report while applying for a mortgage. I requested that XXXX XXXX review their recorded calls and confirm that I had not been in contact with them nor authenticated any information since 2021. They acknowledged that I had not communicated with them directly nor authenticated via their portal, yet they insisted it was still my responsibility to address the loan. \nCustomer service representatives have confirmed that my ex-wife was using the portal to make changes to my account without my knowledge or consent. Despite this, XXXX XXXX refuses to take responsibility or offer any resolution, citing my supposed acknowledgment of responsibility when signing up for the portalsomething I did not do. Furthermore, they have refused to accept neglect on their part for not implementing proper and effective authentication methods. \nI have provided XXXX XXXX with a copy of the Divorce Decree, which clearly states that my ex-wife was required to remove a vehicle I co-signed for from my name within 30 days. Although they initially confirmed that the Decree would warrant an investigation, they later informed me that there was nothing they could do. This indicates that, despite acknowledging fraud and validating my claims, XXXX XXXX has taken no action to resolve the matter. \nIn addition to these issues, I have discovered several critical security flaws with XXXX XXXX 's website and customer portal. These flaws expose personal data and make it vulnerable to unauthorized access. Some of the most concerning issues include : Outdated Software : XXXX XXXX is using XXXX XXXX, which is outdated. The current version is XXXX. This version contains known vulnerabilities that are patched in more recent versions, which XXXX XXXX has neglected to update. \n\nSimilarly, XXXX XXXX is outdated, with the current version being XXXX. This version is susceptible to vulnerabilities such as XXXX XXXX ( XXXX ) and other security flaws. \n\nMissing or Misconfigured HTTP Security Headers : The website and customer portal lacks proper implementation of Strict-Transport-Security ( HSTS ), which forces browsers to connect via HTTPS, leaving it vulnerable to man-in-the-middle ( MITM ) attacks. \n\nThere are also missing or misconfigured XXXX cookies, which expose the website to Cross-Site Request Forgery ( CSRF ) attacks, potentially allowing attackers to impersonate users and perform unauthorized actions. \n\nFailure to Protect Consumer Data : Despite emphasizing the protection of personal data through federal law-compliant security measures, XXXX XXXX XXXX lack of recent security audits and failure to implement up-to-date security practices raises serious concerns about their commitment to safeguarding consumer information. \nI am filing this complaint with the CFPB requesting that XXXX XXXX immediately provide proof of their most recent security audits and demonstrate the measures they have taken to protect customer data, as required by law. If XXXX XXXX refuses this request, I will ask that the Consumer Financial Protection Bureau ( CFPB ) consider this a clear indication of Credit Acceptances neglect and failure to protect their consumers at which point I will request that the complaint to be made public. I demand that XXXX XXXX remove the previous stated delinquencies from all three of my credit bureau reports based on the fact that XXXX XXXX has knowingly and willingly allowed fraud to take place via their customer portal and consistently refused to accommodate any requests that I have previously made.","date_sent_to_company":"2024-12-12T16:56:02.000Z","issue":"Problem with a company's investigation into an existing problem","sub_product":"Credit reporting","zip_code":"446XX","tags":null,"has_narrative":true,"complaint_id":"11137885","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"Experian Information Solutions Inc.","date_received":"2024-12-12T16:55:58.000Z","state":"OH","company_public_response":"Company has responded to the consumer and the CFPB and chooses not to provide a public response","sub_issue":"Their investigation did not fix an error on your report"},"highlight":{"complaint_what_happened":["This version contains known vulnerabilities that are patched in more recent versions, which <em>XXXX</em> <em>XXXX</em> has neglected to update. \n\nSimilarly, <em>XXXX</em> <em>XXXX</em> is outdated, with the current version being <em>XXXX</em>. This version is susceptible to vulnerabilities such as <em>XXXX</em> <em>XXXX</em> ( <em>XXXX</em> ) and other <em>security</em> <em>flaws</em>."]},"sort":[14.887364,"11137885"]},{"_index":"complaint-public-v1","_id":"11126152","_score":14.883844,"_source":{"product":"Credit reporting or other personal consumer reports","complaint_what_happened":"I have been actively disputing multiple negative items on my credit reports, including XXXX instances of 30-day late payments, XXXX instances of 60-day late payments, XXXX instances of 90-day late payments, and XXXX instances of 120-day late payments. Despite my repeated efforts to resolve this matter, XXXX XXXX has continuously refused to assist, with investigations ending in the response, \" ultimately, there is nothing we can do. '' They have acknowledged fault on their recorded lines but have failed to take any corrective action, leaving me with a severely damaged credit score. This ongoing issue has significantly impacted my reputation and has prevented me from achieving personal goals I am entitled to as a responsible consumer. \n\nThe issue originates from a divorce in 2021, during which XXXX XXXX failed to notify me directly of any late or missed payments. Upon discovering these negative items on my credit report, I contacted XXXX XXXX to investigate the situation. I learned that my ex-wife was able to authenticate changes to my personal information, preventing XXXX XXXX from sending me important notifications or communications regarding the delinquencies. As a result, I was unaware of these issues until they appeared on my credit report while applying for a mortgage. I requested that XXXX XXXX review their recorded calls and confirm that I had not been in contact with them nor authenticated any information since 2021. They acknowledged that I had not communicated with them directly nor authenticated via their portal, yet they insisted it was still my responsibility to address the loan. \nCustomer service representatives have confirmed that my ex-wife was using the portal to make changes to my account without my knowledge or consent. Despite this, XXXX XXXX refuses to take responsibility or offer any resolution, citing my supposed acknowledgment of responsibility when signing up for the portalsomething I did not do. Furthermore, they have refused to accept neglect on their part for not implementing proper and effective authentication methods. \nI have provided XXXX XXXX with a copy of the Divorce Decree, which clearly states that my ex-wife was required to remove a vehicle I co-signed for from my name within 30 days. Although they initially confirmed that the Decree would warrant an investigation, they later informed me that there was nothing they could do. This indicates that, despite acknowledging fraud and validating my claims, XXXX XXXX has taken no action to resolve the matter. \nIn addition to these issues, I have discovered several critical security flaws with XXXX XXXX 's website and customer portal. These flaws expose personal data and make it vulnerable to unauthorized access. Some of the most concerning issues include : Outdated Software : XXXX XXXX is using XXXX  XXXX, which is outdated. The current version is XXXX. This version contains known vulnerabilities that are patched in more recent versions, which XXXX XXXX has neglected to update. \n\nSimilarly, XXXX XXXX is outdated, with the current version being XXXX. This version is susceptible to vulnerabilities such as XXXX XXXX ( XXXX ) and other security flaws. \n\nMissing or Misconfigured HTTP Security Headers : The website and customer portal lacks proper implementation of Strict-Transport-Security ( HSTS ), which forces browsers to connect via HTTPS, leaving it vulnerable to man-in-the-middle ( MITM ) attacks. \n\nThere are also missing or misconfigured XXXX cookies, which expose the website to Cross-Site Request Forgery ( CSRF ) attacks, potentially allowing attackers to impersonate users and perform unauthorized actions. \n\nFailure to Protect Consumer Data : Despite emphasizing the protection of personal data through federal law-compliant security measures, Credit Acceptance 's lack of recent security audits and failure to implement up-to-date security practices raises serious concerns about their commitment to safeguarding consumer information. \nI am filing this complaint with the CFPB requesting that XXXX XXXX immediately provide proof of their most recent security audits and demonstrate the measures they have taken to protect customer data, as required by law. If XXXX XXXX refuses this request, I will ask that the Consumer Financial Protection Bureau ( CFPB ) consider this a clear indication of Credit Acceptances neglect and failure to protect their consumers at which point I will request that the complaint to be made public. I demand that XXXX XXXX remove the previous stated delinquencies from all three of my credit bureau reports based on the fact that XXXX XXXX has knowingly and willingly allowed fraud to take place via their customer portal and consistently refused to accommodate any requests that I have previously made.","date_sent_to_company":"2024-12-12T16:56:02.000Z","issue":"Problem with a company's investigation into an existing problem","sub_product":"Credit reporting","zip_code":"446XX","tags":null,"has_narrative":true,"complaint_id":"11126152","timely":"Yes","company_response":"Closed with non-monetary relief","submitted_via":"Web","company":"EQUIFAX, INC.","date_received":"2024-12-12T16:55:58.000Z","state":"OH","company_public_response":null,"sub_issue":"Their investigation did not fix an error on your report"},"highlight":{"complaint_what_happened":["This version contains known vulnerabilities that are patched in more recent versions, which <em>XXXX</em> <em>XXXX</em> has neglected to update. \n\nSimilarly, <em>XXXX</em> <em>XXXX</em> is outdated, with the current version being <em>XXXX</em>. This version is susceptible to vulnerabilities such as <em>XXXX</em> <em>XXXX</em> ( <em>XXXX</em> ) and other <em>security</em> <em>flaws</em>."]},"sort":[14.883844,"11126152"]},{"_index":"complaint-public-v1","_id":"15772667","_score":14.81802,"_source":{"product":"Credit card","complaint_what_happened":"On XX/XX/year>, I was charged on XXXX different credit cards for XXXX tickets to the XXXX XXXX Game at the XXXX XXXX XXXX  XXXX XXXX. I did not order them. The 2 sums are from XXXX, XXXXXXXX XXXX XXXX XXXX {$1900.00}, and XXXX, from XXXX XXXX XXXX XXXX XXXX XXXXXXXX XXXX XXXX {$3800.00}. Total loss is {$5700.00}. \n\nFirst discovery was XX/XX/year> and I called the number to cancel the charge which I stated was fraud, the amount of {$3800.00}. The other I noticed on XX/XX/year> when checking my bank statements. That amount is {$1900.00}. \n\nThe perpetrator used my PayPal account to gain access which I rarely used and even added another card in my name which I had used to buy things online. The method of access was a very large security flaw in XXXX XXXX browser. Instead of expiring tokens when tabs went to sleep, the tokens remained live so anyone with access to my browser can use. The passwords were still protected by pin but since the tokens did not expire, there was no request to enter a pin code. This is an error on XXXX. \n\nThe tickets were distributed and sold by XXXX XXXX in XXXX and processed by PayPal in XXXX XXXX. I reside in California and will be taking this case to other agencies. At least XXXX more. I want the matter resolved quickly and I don't want to hear I am going to have to pay the {$5700.00} which represents at least 2 months of my income. I am XXXX. So, this is also elder abuse financial exploitation. \n\nAs of today, both charges appear on my credit card statement and I am liable to pay. I don't want to pay for something I did not order especially when the cost is so high. XXXX tickets to a game you could might see on TV for {$5700.00}? \n\nI am not a sports fan. I did not make these XXXX purchases. I need help in getting the money back. So far, all attempts to get the money back has failed and I remain hopeless worrying how I am going to pay these XXXX big bills.","date_sent_to_company":"2025-09-07T00:58:30.000Z","issue":"Problem with a purchase shown on your statement","sub_product":"General-purpose credit card or charge card","zip_code":"92804","tags":null,"has_narrative":true,"complaint_id":"15772667","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"Paypal Holdings, Inc","date_received":"2025-09-07T00:45:27.000Z","state":"CA","company_public_response":null,"sub_issue":"Card was charged for something you did not purchase with the card"},"highlight":{"complaint_what_happened":["The method of access was a very large <em>security</em> <em>flaw</em> in <em>XXXX</em> <em>XXXX</em> <em>browser</em>. Instead of expiring tokens when tabs went to sleep, the tokens remained live so anyone with access to my <em>browser</em> can use. The passwords were still protected by pin but since the tokens did not expire, there was no request to enter a pin code. This is an error on <em>XXXX</em>. \n\nThe tickets were distributed and sold by <em>XXXX</em> <em>XXXX</em> in <em>XXXX</em> and processed by PayPal in <em>XXXX</em> <em>XXXX</em>."]},"sort":[14.81802,"15772667"]},{"_index":"complaint-public-v1","_id":"11138884","_score":14.768966,"_source":{"product":"Credit reporting or other personal consumer reports","complaint_what_happened":"I have been actively disputing multiple negative items on my credit reports, including XXXX instances of XXXX late payments, XXXX instances of XXXX late payments, XXXX instances of XXXX late payments, and XXXX instances of XXXX late payments. Despite my repeated efforts to resolve this matter, Credit Acceptance has continuously refused to assist, with investigations ending in the response, \" ultimately, there is nothing we can do. '' They have acknowledged fault on their recorded lines but have failed to take any corrective action, leaving me with a severely damaged credit score. This ongoing issue has significantly impacted my reputation and has prevented me from achieving personal goals I am entitled to as a responsible consumer. \n\nThe issue originates from a divorce in 2021, during which Credit Acceptance failed to notify me directly of any late or missed payments. Upon discovering these negative items on my credit report, I contacted Credit Acceptance to investigate the situation. I learned that my ex-wife was able to authenticate changes to my personal information, preventing Credit Acceptance from sending me important notifications or communications regarding the delinquencies. As a result, I was unaware of these issues until they appeared on my credit report while applying for a mortgage. I requested that Credit Acceptance review their recorded calls and confirm that I had not been in contact with them nor authenticated any information since 2021. They acknowledged that I had not communicated with them directly nor authenticated via their portal, yet they insisted it was still my responsibility to address the loan. \nCustomer service representatives have confirmed that my ex-wife was using the portal to make changes to my account without my knowledge or consent. Despite this, Credit Acceptance refuses to take responsibility or offer any resolution, citing my supposed acknowledgment of responsibility when signing up for the portalsomething I did not do. Furthermore, they have refused to accept neglect on their part for not implementing proper and effective authentication methods. \nI have provided Credit Acceptance with a copy of the Divorce Decree, which clearly states that my ex-wife was required to remove a vehicle I co-signed for from my name within 30 days. Although they initially confirmed that the Decree would warrant an investigation, they later informed me that there was nothing they could do. This indicates that, despite acknowledging fraud and validating my claims, Credit Acceptance has taken no action to resolve the matter.\n\nIn addition to these issues, I have discovered several critical security flaws with Credit Acceptance 's website and customer portal. These flaws expose personal data and make it vulnerable to unauthorized access. Some of the most concerning issues include : Outdated Software : Credit Acceptance is using Angular XXXX, which is outdated. The current version is XXXX. This version contains known vulnerabilities that are patched in more recent versions, which Credit Acceptance has neglected to update. \n\nSimilarly, XXXX XXXX is outdated, with the current version being XXXX. This version is susceptible to vulnerabilities such as XXXX XXXX ( XXXX ) and other security flaws. \n\nMissing or Misconfigured HTTP Security Headers : The website and customer portal lacks proper implementation of Strict-Transport-Security ( HSTS ), which forces browsers to connect via HTTPS, leaving it vulnerable to man-in-the-middle ( MITM ) attacks. \n\nThere are also missing or misconfigured SameSite cookies, which expose the website to Cross-Site Request Forgery ( CSRF ) attacks, potentially allowing attackers to impersonate users and perform unauthorized actions. \n\nFailure to Protect Consumer Data : Despite emphasizing the protection of personal data through federal law-compliant security measures, Credit Acceptance 's lack of recent security audits and failure to implement up-to-date security practices raises serious concerns about their commitment to safeguarding consumer information.\n\nI am filing this complaint with the CFPB requesting that Credit Acceptance immediately provide proof of their most recent security audits and demonstrate the measures they have taken to protect customer data, as required by law. If Credit Acceptance refuses this request, I will ask that the Consumer Financial Protection Bureau ( CFPB ) consider this a clear indication of Credit Acceptances neglect and failure to protect their consumers at which point I will request that the complaint to be made public. I demand that Credit Acceptance remove the previous stated delinquencies from all three of my credit bureau reports based on the fact that Credit Acceptance has knowingly and willingly allowed fraud to take place via their customer portal and consistently refused to accommodate any requests that I have previously made.","date_sent_to_company":"2024-12-12T16:55:48.000Z","issue":"Problem with a company's investigation into an existing problem","sub_product":"Credit reporting","zip_code":"446XX","tags":null,"has_narrative":true,"complaint_id":"11138884","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"CREDIT ACCEPTANCE CORPORATION","date_received":"2024-12-12T16:15:33.000Z","state":"OH","company_public_response":"Company has responded to the consumer and the CFPB and chooses not to provide a public response","sub_issue":"Their investigation did not fix an error on your report"},"highlight":{"complaint_what_happened":["Similarly, <em>XXXX</em> <em>XXXX</em> is outdated, with the current version being <em>XXXX</em>. This version is susceptible to vulnerabilities such as <em>XXXX</em> <em>XXXX</em> ( <em>XXXX</em> ) and other <em>security</em> <em>flaws</em>. \n\nMissing or Misconfigured HTTP <em>Security</em> Headers : The website and customer portal lacks proper implementation of Strict-Transport-<em>Security</em> ( HSTS ), which forces <em>browsers</em> to connect via HTTPS, leaving it vulnerable to man-in-the-middle ( MITM ) attacks."]},"sort":[14.768966,"11138884"]},{"_index":"complaint-public-v1","_id":"2491155","_score":14.350631,"_source":{"product":"Credit card or prepaid card","complaint_what_happened":"XXXX   XXXX  2017  Someone hacked into my account both email and debit card with Chase bank. I told Chase and they cancelled my card gave me a provisional credit I thought would be end of it. I told them it was not made nor authorized by me. Recently Chase reclaimed the $ XXXX  saying something was delivered to my address. I never got anything.\nThis is their file on my bank account \n\n  XXXX   XXXX   , 2017  \t   XXXX     XXXX  FL  XX/30 \n  XXXX   XXXX  2017 \tReversal:  XXXX   XXXX  FL\n  XXXX   XXXX   , 2017\tCl aim reversal:  XXXX   XXXX  FL\n\nFrom  XX/XX/XXXX  to  XX/XX/XXXX  today I emailed on secure server. I give up with Chase.\n\nLast\n\nThis I recently discovered.\n\n\nRegarding the $  XXXX   fraudulent purchase not made by me in  XX/XX/XXXX , I have new info to share with you.\n\nI can't give you any other proof, except today I discovered I was still infected from  XX/XX/XXXX .\n\nToday I downloaded a program called   XXXX   XXXX  , but I was afraid to give my credit card info because of still being infected.\n\nInstead I used the program to show me what registry keys were infected as well as two browsers. And I manually took out a total\n\nof  XXXX  objects   XXXX   XXXX    detected. It took me over 5 hrs to do.\n\nThe things I was infected with all along are as follows 1]  XXXX  it says it disrupts pc operations, gathers sensitive info\n\n2]   XXXX   it says it exploits vulnerability and security flaws malicious website and email downloading attachments to steal\n\nyour private info.  3]   XXXX   similar to # 2. 4] Malware.  XXXX   hijack browser and search results These 4 are severe category.\n\nNext list are moderate severe 5]  XXXX  6]  XXXX .it search hijacks browsers. \n\nNow less severe category 7] Adware Helpers 411 infections.  More Adware programs 8] Adware.  XXXX   46 infections.\n\n9]Adware.  XXXX   XXXX   XXXX  ,  10] Adware.  XXXX   11]Adware . XXXX  12] Adware. XXXX   XXXX  infections .\n\nPlease look up these things on google to verify they are what I say I removed.\n\nAt this point because of what I found today if you don't reverse the reversal charge I will be filing a complaint\n\nagainst Chase with the cfpb.\n\n\nAnd if you force me to do that I will also be looking for another bank sometime later this year.\n\nI can not do business with anyone who insults my integrity and honesty.\n\nThis email was sent to \n\nTo: \" XXXX \"  \nSent: Saturday,   XXXX   XXXX   , 2017   XXXX   XXXX \n\nChase isn't listening to me. So I'm filing this complaint.","date_sent_to_company":"2017-05-22T21:37:06.000Z","issue":"Problem with a purchase shown on your statement","sub_product":"General-purpose credit card or charge card","zip_code":"13069","tags":null,"has_narrative":true,"complaint_id":"2491155","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"JPMORGAN CHASE & CO.","date_received":"2017-05-22T21:07:52.000Z","state":"NY","company_public_response":null,"sub_issue":"Card was charged for something you did not purchase with the card"},"highlight":{"complaint_what_happened":["The things I was infected with all along are as follows 1]  <em>XXXX</em>  it says it disrupts pc operations, gathers sensitive info\n\n2]   <em>XXXX</em>   it says it exploits vulnerability and <em>security</em> <em>flaws</em> malicious website and email downloading attachments to steal\n\nyour private info.  3]   <em>XXXX</em>   similar to # 2. 4] Malware.  <em>XXXX</em>   hijack <em>browser</em> and search results These 4 are severe category.\n\nNext list are moderate severe 5]  <em>XXXX</em>  6]  <em>XXXX</em> .it search hijacks <em>browsers</em>."]},"sort":[14.350631,"2491155"]},{"_index":"complaint-public-v1","_id":"10331241","_score":12.909312,"_source":{"product":"Checking or savings account","complaint_what_happened":"On XX/XX/year>, I discovered that {$11000.00} was fraudulently withdrawn from my Chase business account through unauthorized salary payments. These payments were made to individuals fraudulently added as employees without my consent. \n\nUpon discovering the charges, I rushed to a Chase branch, where I was redirected to the Fraud Investigation Department ( XXXX ). However, I was initially unable to file a claim due to a system update. After multiple attempts, I finally filed the claim on XX/XX/XXXX, and was told I would be reimbursed within XXXX business days if the investigation was not resolved. After significant delays, I was informed that my claim was denied, with Chase stating the transactions were made using my device. \n\nI am appealing this decision based on critical evidence that was overlooked, as well as conflicting information provided by Chase Bank representatives. \n\nSupporting Information : Device Log-In Timing : My computers kernel-power logs ( attached ) show my device first booted on XX/XX/year>, at around XXXXXXXX XXXX  This means my device was not in use prior to that time, making it impossible for any earlier transactions to have been made from my device. \n\nBrowser History : My browser history ( attached ) confirms that I attempted to log into my Chase account at XXXXXXXX XXXX  However, I was blocked by a device attestation message ( also attached ), preventing me from successfully logging in. \n\nSecure Messages : I have attached secure messages ( not emailed to me ) from the Chase Bank app showing that two employees, XXXX XXXX and XXXX XXXX XXXX, were added to my account as payees without my knowledge. These messages state that the additions were made by an authorized user on my account. However, during a phone conversation, a Chase representative explicitly told me that I am the only authorized user on this account. This presents a serious inconsistency in Chases handling of this case and suggests a breach of account security. \n\nConflicting Information : Chase Bank has provided conflicting information at every step. I was told my claim would be processed within 10 business days and that I would receive reimbursement if the investigation was unresolved by then. On XX/XX/XXXX, I was told the money would be credited within a few hours, but the funds never arrived. When I followed up, I was told there was no definite time for reimbursement. \n\nConclusion : It is clear that unauthorized actions were taken on my account before my device was in use, and I was blocked from accessing my account after attempting to log in. The claim denial based on device matching is flawed, especially given that I was the only authorized user on the account, and these fraudulent payees were added without my consent. \n\nAdditionally, I am preparing to file a police report regarding this matter. I demand an immediate and thorough investigation into how these unauthorized actions were allowed to occur on my account.","date_sent_to_company":"2024-10-03T20:29:40.000Z","issue":"Managing an account","sub_product":"Checking account","zip_code":"92614","tags":null,"has_narrative":true,"complaint_id":"10331241","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"JPMORGAN CHASE & CO.","date_received":"2024-10-03T19:32:15.000Z","state":"CA","company_public_response":null,"sub_issue":"Problem using a debit or ATM card"},"highlight":{"complaint_what_happened":["<em>Browser</em> History : My <em>browser</em> history ( attached ) confirms that I attempted to log into my Chase account at XXXXXXXX <em>XXXX</em>  However, I was blocked by a device attestation message ( also attached ), preventing me from successfully logging in. \n\nSecure Messages : I have attached secure messages ( not emailed to me ) from the Chase Bank app showing that two employees, <em>XXXX</em> <em>XXXX</em> and <em>XXXX</em> <em>XXXX</em> <em>XXXX</em>, were added to my account as payees without my knowledge."]},"sort":[12.909312,"10331241"]},{"_index":"complaint-public-v1","_id":"1605511","_score":11.260461,"_source":{"product":"Bank account or service","complaint_what_happened":"I have XXXX unauthorized transactions for about {$2000.00} taken from my account and here is what happened so far. 1. Usaa would n't do anything to stop further loss after I reported it. The second transaction was still pending and they did n't stop it. They even would n't freeze my account and the perpetrator could continue transferring money out of my account. I ended up transferring what left to other account so I do n't lose more money. 2 XXXX Their system has security flaws. Logging on the phone app wo n't give you any notification. After I changed my password I can still log in on my phone by just entering the pin. They even did n't ask for the new password! I called and they opened an XXXX ticket. Also if you use a smart phone, use the smart phone 's web browser and log in to usaa and it would n't give you any notification for logging into a new device.3 ) they violated federal regulations their own banking agreement. My money was sent to XXXX and I called XXXX myself to look in the transactions since usaa wo n't do anything for me. XXXX was being very helpful and they pin pointed they are fraudulent transactions and they ve sent the findings to usaa. However either I or XXXX can even get a hold my investigator. It took me about 2 hours today just to get hold her voice mail! However I also talked to a senior rep today and she told me even it is fraudulent charges they wo n't reimburse me if they ca n't get the money from XXXX and it is my loss. After consulting my lawyer, he told me usaa has to pay me back if I reported the unauthorized transactions within 2 days and I am liable for {$50.00} the most under federal regulations XXXX and electronic fund transfer act. I reported the next day when the transactions happened. I also found the same policy written on their own banking policy page XXXX under \" unauthorized transactions '' and I have talked to at least XXXX different XXXX from USAA and nobody ever told me anything about it. 4 it takes forever to talk to the right person and even you did it is the voice mail. My phone calls with usaa has been at least one hour each time and got transferred at least 5 times. At this point I think this is intentional so I will give up fighting to get my money back. 5. They contradicted themselves each time I called. I was told first within 48 hours I will have a result. But after 53 hours the investigator told me it just hit her desk. I got called saying the case was closed within one hour after that. But I also got told the case is still under investigation from other rep. At this point I really do n't know what 's going on and I do n't think they would do anything to refund my money. 6 ). the investigator finally called me and told me itis fraud and they ca n't get my money back until they get money from XXXX. And so far I do n't see they have done anything to retrieve the money from XXXX either. This is a violation of # 3 again- as long as the transactions are unauthorized and I reported within 2 days they ca n't hold me liable for more than {$50.00}. They also told me because I had to change my online password a week ago before this happened, then itis my fault. I simply forgot my password and I had to reset it but the bank said because of this and that 's why my account got hacked. And that 's why they refuse to reimburse me. For one they had no proof these XXXX events are related ; second even it is true, they ca n't refuse to pay me back under regulation XXXX I guess I can never reset my password then. I think their system has security flaws which I can prove a few and then the hackers got into it but then I am to blame for the loss ( because I have money in my account? ). 7 ) I am so fed up on all this and they are just playing the phone games with me now- either got hold forever or transferred to voicemail. I want other consumers to learn from my experience.","date_sent_to_company":"2015-10-14T21:37:43.000Z","issue":"Deposits and withdrawals","sub_product":"Checking account","zip_code":"64114","tags":null,"has_narrative":true,"complaint_id":"1605511","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"UNITED SERVICES AUTOMOBILE ASSOCIATION","date_received":"2015-10-14T21:37:42.000Z","state":"MO","company_public_response":"Company believes it acted appropriately as authorized by contract or law","sub_issue":null},"highlight":{"complaint_what_happened":["I have <em>XXXX</em> unauthorized transactions for about {$2000.00} taken from my account and here is what happened so far. 1. Usaa would n't do anything to stop further loss after I reported it. The second transaction was still pending and they did n't stop it. They even would n't freeze my account and the perpetrator could continue transferring money out of my account. I ended up transferring what left to other account so I do n't lose more money. 2 <em>XXXX</em> Their system has <em>security</em> <em>flaws</em>."]},"sort":[11.260461,"1605511"]},{"_index":"complaint-public-v1","_id":"4149774","_score":10.296966,"_source":{"product":"Money transfer, virtual currency, or money service","complaint_what_happened":"ISSUE : I'm unable to login into my account ever since I changed mobile phone numbers. The way they are set up - which NO other financial company does - you can not get help AT ALL unless you can authenticate into their system. Problem is, when you CAN NOT authenticate because of their poorly designed and flawed authentication system, YOU ARE LOCKED OUT. Goodnight! You're done, son! \n\nSTEPS TO DUPLICATE 1. Change your mobile number with your mobile provider. You have no way of knowing in advance which number you will be assigned in your new area code, so it's not like you can give PayPal advanced notice or log into their system and add the new number while you still have the old one. It doesn't work that way. \n2. Go to to paypal.com. \n2. Enter your login credentials ( username and password ).\n\n3. It accepts it, but wants to further verify your identity by sending a one-time code to your mobile phone. It lists the last three digits of your OLD number.\n\n4. Obviously, you can't have it text your old number - it's now out of service ; so, click on the link below the \" Continue '' button that reads, \" Having trouble logging in? \".\n\n5. It returns a screen that reads, \" Quick security check. We just need some additional info to confirm it's you. Receive a text. Mobile [ it AGAIN lists your old mobile number showing the first digit of its area code and, this time, the last four digits of your old number.\n\n6. At this point, you are done son. You have NO OTHER OPTIONS. No WAY TO LOGIN. They have you trapped in an endless, vain, and fruitless loop.\n\n7. Okay, go ahead and try to call them. Once you get through the menu, it tells you that you can not speak to anyone. It tells you that you must first log into your account and use the Help Center. Yep.\n\nNOW ONTO MY RANT WITH MY NIGHTMARISH EXPERIENCE TRYING TO RESOLVE THIS ISSUE : They are REALLY THAT XXXX  AND INCOMPETENT. I am not a mean person. I try to be nice and courteous with everyone. I'm really patient. They have successfully brought me to the edge of sanity, figuratively speaking. You have ZERO RECOURSE for help ; so, what are you to think? Yep. They are incompetent XXXX  and they really aren't interested in helping you. They want your money. They do not care about customer service quality. Not one bit. Even the people of the phone in their credit dept show by their words and actions that they aren't willing to go the extra mile to help a valued customer ( okay, I guess I'm NOT valued by them ... but neither are you, really ). If I had been in their shoes, I would have taken my information and I would have hunted down the right people who had the power to solve my problem. Nope. Didn't care.\n\nI have tried EVERY back door I could to speak to a LIVE person willing to help me, including their credit division. They wouldn't help me. I've tried for a year now. The stress this has caused has been IMMENSE. Someone else, now, has my mobile number. They could actually get into my account. So, ironically, what they \" call '' a security feature turns out to make a customer VERY INSECURE.\n\nNow, a gal in the credit dept said that I can click on \" Having trouble logging in '' - and when it presents my old mobile number - I can click on an option to add another one. NOPE!!!!!!!!!! I was told to wait a few days and try again. NOPE!!!!!!!\n\nMeanwhile, I'm bebound and I'm in TERRIBLE BACK PAIN. This is TOO MUCH! My wife and parents are witnesses to the stress and trauma this has caused me. \n\nI should be able to access my account!!!!! I just want to close it at this point. My experience with PayPal has been SO BAD, that I NEVER, EVER want to deal with that incompetent company again. \n\nHonestly, at times, I felt like I was going to have a nervous breakdown because PayPal does not give a customer ANY WAY to resolve the issue - even to close the account - unless you can login. I'm not alone based on what I see online. \n\nI'm a techy guy. I have 30+ years in the XXXX  and XXXX XXXX. I'm no XXXX  when it comes to using technology. I've tried clearing browser caches, changing browsers, using their mobile app .... EVERYTHING.\n\nThen, a week ago, I received an email statement from PayPal ( which started this whole stressful ordeal when I got notifications from my bank of charges from PayPal that I did not recognize - kept coming for months with new charges ), they had a link in the message saying \" Having troubles logging in? \". I tried it out of desparation - hoping that the company would finally get its act together and FIX their ridiculously flawed system. And, to my great surprise and incredible joy (!!!!! ), it offered me an opportunity to add another mobile number to my account. Mind you, it didn't log me in - it simply prompted me AFTER I provided my correct login credentials ( which always works ... it's the \" security feature '' that wants to send a code to my old mobile number that always XXXX  me ).\n\nHowever, my joy and exhultation ( literally ) was short lived. After it accepted and verified my \" new '' mobile number ( which, by this time, I've had for a year now ) - rather than logging me into my account - it brought me to the login screen!!! Okay, I thought, this won't be a problem now because they have my new mobile number AND they verified it. Nope. Their incompetency just continues to go to lower depths. After successfully providing my login credentials, it wanted to verify me with a code sent to ... .. guess what (? ) .... MY OLD MOBILE NUMBER. It gave me NO OPTION to use the NEW number they had ALREADY ACCEPTED FROM ME just a few minutes ago.\n\nOh my gosh!!! If this weren't happening to me, I would think this was a lie. But, no, it's my life with PayPal and my worst experience ever with a company 's technology.\n\nMan, I just want to close the account. Can't. I can't successfully get into my account so that I can use their Help tool.\n\nOh, and by the way, YES!!!! I did send an email to their support email. I get their useless automated email telling me to log into my account and then get help from their Help Center. Really, it's that XXXX. \n\nI'm sorry, but these guys are XXXX. I'm shocked they've been able to remain in business. They need to fire whoever is in charge of their online experience and the person over customer service. AWFUL!!!! NIGHTMARE!!!! \n\nI'm not lying. It really is THAT BAD.","date_sent_to_company":"2021-02-18T23:11:07.000Z","issue":"Managing, opening, or closing your mobile wallet account","sub_product":"Mobile or digital wallet","zip_code":"84780","tags":null,"has_narrative":true,"complaint_id":"4149774","timely":"Yes","company_response":"Closed with non-monetary relief","submitted_via":"Web","company":"Paypal Holdings, Inc","date_received":"2021-02-18T22:06:34.000Z","state":"UT","company_public_response":null,"sub_issue":null},"highlight":{"complaint_what_happened":["I have 30+ years in the <em>XXXX</em>  and <em>XXXX</em> <em>XXXX</em>. I'm no <em>XXXX</em>  when it comes to using technology. I've tried clearing <em>browser</em> caches, changing <em>browsers</em>, using their mobile app .... EVERYTHING.\n\nThen, a week ago, I received an email statement from PayPal ( which started this whole stressful ordeal when I got notifications from my bank of charges from PayPal that I did not recognize - kept coming for months with new charges ), they had a link in the message saying \" Having troubles logging in? \"."]},"sort":[10.296966,"4149774"]},{"_index":"complaint-public-v1","_id":"20112480","_score":9.858663,"_source":{"product":"Money transfer, virtual currency, or money service","complaint_what_happened":"Statement of Problem : On XX/XX/year>, my local development server was compromised by a Remote Access Trojan ( RAT ) malware attack, turning it into a \" zombie machine. '' Hackers hijacked my active browser sessions to initiate XXXX unauthorized online purchases totaling over {$3100.00}. \nPayPal has officially denied my fraud claim ( Claim ID XXXX ) for the XXXX {$1700.00} XXXX XXXX charge. They are relying entirely on a spoofed IP match from my compromised computer to excuse their own catastrophic system failures. I demand that PayPal address the following undeniable facts and provide actual technical proof to this XXXX, rather than automated excuses : XXXX. The \" XXXX Bank '' XXXX of XXXX : PayPal claims the transaction was \" fully authorized '' because the IP address matched. However, the {$1700.00} XXXX XXXX transaction was forced through a completely closed bank account with a XXXX balance that remained listed on my profile. I demand that PayPal prove to the CFPB, with technical logs, exactly how a dead, closed bank account successfully communicated with their servers to authorize a {$1700.00} purchase. They can not, because this is a fatal flaw XXXX their authorization architecture. \nXXXX. XXXX XXXX XXXX XXXX XXXX XXXX : During the attack, PayPals security alarms were triggered. At XXXX AM, they sent me an interactive SMS asking to confirm the payment. I immediately replied \" XXXX '' and \" Security breach. '' PayPal ignored the authorized account owner 's explicit denial and allowed the charge to process anyway, yet their automated SMS replies and web displays deceptively promised they were working on it. XXXX a final written response ( XX/XX/XXXX ), PayPal 's XXXX XXXX explicitly admitted their interactive SMS notifications are merely \" informational '' and can not stop a payment. \nXXXX. Misplaced Trust During an Active Crisis : Because PayPals system deceptively told me the situation was being handled, I relied on their promises. I was XXXX the middle of a massive cyber-crisis, frantically triaging and recovering my compromised local development servers. PayPal 's deceptive assurances crippled my ability to prioritize this financial breach. They robbed me of my \" golden window '' to react, as I trusted they were acting as my gatekeeper. \nXXXX. The XXXX XXXX vs. The Rushed Denial : PayPal claims their system detected nothing wrong, yet I was able to independently recover the accompanying {$1400.00} fraudulent charge directly from XXXX. XXXX 's fraud department recognized the illegitimacy of this exact same hijacked session and refunded the money without PayPal 's help. Meanwhile, PayPal rushed to close my XXXX XXXX dispute XXXX a mere XXXX daysafter the damage was already doneand stubbornly refuses to admit their algorithms failed to catch what another merchant easily verified. \nIndex of Attached Evidence : Please reference the XXXX attached files which conclusively prove the systemic failures outlined above : Exhibit XXXX : XXXX XXXX Receipt : Proves the hackers used an unauthorized XXXX XXXX drop address. It also displays a deceptive \" You reported a problem with this transaction '' headline, further contributing to the false sense of security that the issue was actively being handled. \nExhibit XXXX : XXXX XXXX XXXX XXXX : XXXX PayPal closed the investigation XXXX just XXXX days. \nExhibit XXXX : XXXX XXXX XXXX : Proves a legitimate merchant successfully identified this exact session as fraud. \nExhibit XXXX : PayPal XXXX ( XXXX Bank ) : The smoking XXXX proving PayPal forced a transaction through a dead bank account. \nExhibit XXXX : PayPal SMS Log : Proves PayPal sent an interactive security alert, received my explicit \" No '' and \" Security breach '' replies XXXX real-time, but allowed the charge to process anyway. \nExhibits XXXX & XXXX : XXXX Bank SMS Logs : Demonstrates how my traditional bank honored my real-time \" No '' response to block fraudulent charges on the exact same day. \nExhibit XXXX : XXXX Transaction History : Proves these massive electronic purchases were a severe behavioral anomaly. \nExhibit XXXX : XXXX XXXX Final Denial ( XX/XX/XXXX ) : PayPal 's official written admission that their security texts are merely \" informational. '' Exhibit XXXX : Collections & XXXX Threat ( XX/XX/XXXX ) : PayPal 's written refusal to manually halt automated collection harassment during an active regulatory dispute, explicitly daring me to serve them with a lawsuit. \n\n\nDesired Resolution : PayPal is hiding behind a hijacked IP address to excuse the fact that they ignored the actual account owner, bypassed dead financial instruments, and sent deceptive alerts that sabotaged my emergency response. Furthermore, they are actively weaponizing their collections department against me while refusing to halt automated systems. I request the CFPB compel PayPal to clear the {$1700.00} fraudulent negative balance, reverse the unauthorized charge, and cease all collection threats immediately.","date_sent_to_company":"2026-03-10T00:04:18.000Z","issue":"Unauthorized transactions or other transaction problem","sub_product":"Mobile or digital wallet","zip_code":"90630","tags":null,"has_narrative":true,"complaint_id":"20112480","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"Paypal Holdings, Inc","date_received":"2026-03-09T23:40:17.000Z","state":"CA","company_public_response":null,"sub_issue":null},"highlight":{"complaint_what_happened":["They can not, because this is a fatal <em>flaw</em> <em>XXXX</em> their authorization architecture. \n<em>XXXX</em>. <em>XXXX</em> <em>XXXX</em> <em>XXXX</em> <em>XXXX</em> <em>XXXX</em> <em>XXXX</em> : During the attack, PayPals <em>security</em> alarms were triggered. At <em>XXXX</em> AM, they sent me an interactive SMS asking to confirm the payment."]},"sort":[9.858663,"20112480"]},{"_index":"complaint-public-v1","_id":"19414601","_score":9.649829,"_source":{"product":"Money transfer, virtual currency, or money service","complaint_what_happened":"On the XXXX of XX/XX/2026 I accidentally and unknowingly downloaded A virus and although I ran A virus scan it came back clean. On the XXXX of XX/XX/2026 I woke up to find that several accounts of mine had been compromised, specifically every one of them that had A password saved in my browser. After downloading Malware-bytes and running A scan it found a XXXX  that was disguising itself as my browser. After successfully removing the virus and changing the passwords to all accounts that had their passwords saved on my browser. Coinbase was not an account that I had my password saved on and neither was my email. After completely turning off my computer and disconnecting it from the electricity I thought that was the end of it. I then wake up on the XXXX of XX/XX/2026 sometime in the afternoon to four messages in my phone indicating that I had sold XXXX $ of Bitcoin at XXXX XXXX XXXX $ of Etherium at XXXX, and have successfully initiated a withdrawal to a XXXX account for XXXX $ at XXXX. The fourth notification was one that I received in the afternoon about my account being locked after all the actions had taken place. I was able to confirm latter that the message was sent right after the withdrawal request at XXXX but I didn't receive it until a couple hours latter. I got in contact with a representative of Coinbase at XXXX the same day through the request a call feature. I informed them that my account had been hacked and that I needed to cancel the pending withdrawal as soon as possible. They informed me that as long as my account was locked no withdrawals could happen, and that any pending withdrawals would be canceled. The call was disconnected several times during these attempts, of witch I received different pieces of info in regards to if they would be able to cancel a pending withdrawal. My case was eventually escalated to the specialist support team and I received an email at XXXX on the XXXX acknowledging the problem and that they are reviewing my concern. I responded at XXXX the same day questioning how they where able to get in without 2fa verification since I never received any 2fa codes from my phone or email and bother where uncompromised, and if they where able to cancel the withdrawal. On the XXXX of XXXX at XXXX I received an email from Coinbase stating that their records show that on XXXX, my account was accessed from a device and the IP address XXXX/ XXXX XXXX XXXX  XXXX I live in the state of XXXX. I also didn't catch it at first, but this is the first time they don't actually say the correct date of the unauthorized transactions, as they refer to the 13th but the unauthorized activity only happened on the 14th. They then claim that it was likely due to a third party who had physical or remote access to my device or web browser session. They then go on to say that a session begins when I log in and ends when I log out and that I am responsible for my device 's security. My computer was disconnected from electricity and also virus free at the time of unauthorized activity. I reply on the XXXX at XXXX thanking them for the detailed response, and that I understand their stance on device security, but that ultimately it none of what they have said explains how the activity was allowed to happen in the first place. Its clear the activity happened in a completely different state and yet there was no 2fa request, I then mention a Coinbase representative ( XXXX ) had informed me that reimbursement is possible when safeguards fail. On the XXXX of XXXX I received another email that they aren't able to protect my email account, devices, passwords, 2-step verification codes, or other credentials for me, and claim that due to this they cant take responsibility for any activity on my account. They also encourage me to file with the IC3. I respond on the same day at XXXX once again acknowledging their position on device security, but that I'm referring to authorization safeguards. I ask that they do one of the following, reconsider reimbursement due to the failed and or lacking security that resulted in my funds lost, Written confirmation that Coinbase 's position is final, so I may pursue external review and document my experience accurately. I received no response by the end of the XXXX so I sent an email informing them that I will be filing with the IC3 and will be providing a case number as soon as possible. On the XXXX I filed with the IC3 at XXXX EST and had taken a screenshot of such completed form. I had been waiting to receive the confirmation email from IC3 but as of the time of writing i have not received said email. On the XXXX of XXXX I sent an email to Coinbase again with the screenshot of the completed form as well as asking them to add the report to my case file and to escalate it to the next level for further review. I have yet to receive a reply to this email. On the XXXX of XXXX I decided to take a more direct approach to solving this issue, I made a XXXX account as it was required to contact their customer support team. The same bank that my funds where withdrawn too. After completing my account creation at XXXX I called the support line and asked if they where able to tell if anyone had ever made an account in my name before, they responded with a firm no, and that they looked not only at my name but my social security number as well and found no records of any account under them ever having such credentials. I then went to call Coinbase again with the new info as how could a bank account that doesn't even have my name or social be linked so fast without a waiting period. They then explained that they outsource the security to XXXX or ( XXXX  ). They then go on to say that XXXX securely connects to my bank to verify that the account exists and retrieves limited data like my account and routing numbers, and the bank account owner details ( name, address, etc. They then go on to say that my banking username and password are never shared with Coinbase and that they stay with XXXX for verification only. They then explain that Coinbase uses the info XXXX provides to confirm the bank details are valid and that the owner information matches my Coinbase profile, Decide whether the bank can be added as a payment method or needs manual review if there is a name mismatch, and apply security controls such as encryption of my bank details, strict internal access controls, and holds on certain bank deposits ( for example, ACH/EFT ) so those funds cant be immediately cashed out or sent off the platform until the transfer fully clears. Rather take their word on it I decide to contact XXXX directly and get their side of the story. I make a Data protection Rights Request in an attempt to find out if the unauthorized XXXX account that was linked to my Coinbase account had any matching credentials of mine. After asking XXXX  several questions in regards to their roll with Coinbase I am told that Coinbase is a client of XXXX  and XXXX will verify the users credentials, and then in the case of Coinbase we'll share the required information with Coinbase such as account numbers, balance, name, email, phone, etc. It is then up to Coinbase to verify the information shared and take any fraud and security steps to verify the user. This contradicts with Coinbase 's statement, ( Your actual online banking username and password are never shared with Coinbasethey stay with XXXX for verification only. ) I then try to create another case on the XXXX of XXXX with the new info I have. On the XXXX of XX/XX/2026 I receive an email from Coinbase of which they reference that their records show on XX/XX/2026 my account was accessed from a XXXX  XXXX device and the IP address XXXX- United States. That results in an address in XXXX, a full XXXX miles away from where I live and contradicts their previous statement about their records showing it was in XXXX/ XXXX, XXXX. They also once again talk about the XXXX and not the XXXX when the unauthorized activity happened. On the same day at XXXX I respond to the email addressing the date mismatch and attribute it to a mistake on their end similar to a typo. I then make note of the incorrect IP address and provide them with my public IP address, XXXX as well as a screenshot of the website XXXX  for proof of my public IP address. I make a point that they don't have any knowledge of where it actually was that my account was accessed from, the fact I have XXXX stating that there has never been an account in my name at the time of unauthorized activity, and that I've proven they have several security flaws and I ask them that they reimburse me. They then respond stating that they understand my concern regarding the sign-in IP address matching my location, witch it doesn't and never implied that it did. They then go on to acknowledge that the bank that was used to withdraw the funds did not match my personal info on file with Coinbase, and that it was deleted from my account shortly after the withdrawal was completed. They then state that this is a common pattern they see in cases where a third party may have gained access and removed traces of the payment method afterward. The reason why the account was deleted from my account was because my account was locked, this happened right after the withdrawal due to suspicious activity, witch according to Coinbase deletes any connections the account may have with any other accounts in an attempt of security, this of course only happened after the withdrawal was irreversibly initiated. They then acknowledge that because of these findings they cant treat the withdrawal as if it was initiated from a bank that clearly belongs to me, then again incorrectly claim that the IP addresses match. They then say their decision must be based on the full set of signals they see, because of the mismatch in credentials and the banks quick removal are significant risk indicators. They then go right back to blaming the device that was virus free and turned off at the time of the unauthorized activity, say that account holders are responsible for security. I respond on the same day, the XXXX of XX/XX/2026, and simply ask them to actually read my previous email and point out that not just one piece of security failed on their end, but several all at once. With no response to my reply the case was closed at XXXX on the first of XXXX. Nearly XXXX hours before they even sent their last message, they closed it before I could even respond. On the XXXX of XXXX I created another case, to witch they responded on the XXXX at XXXX. Now they claim their records show that on XX/XX/2026 my account was accessed from a XXXX XXXX device and the IP address XXXX XXXX XXXX. This is the exact info I gave them in the previous case that they never had in the past, they then go on to once again blame me and the device that wasn't even connected to electricity at the time of unauthorized activity. I respond by copying my final message I gave in the last case on the same day at XXXX alongside screenshots of their previous statements about the devices location and IP addresses, the entirety of my final message from the previous case proving I'm the one that told them my IP, and a screenshot of XXXX  response to me inquiring about their connection with Coinbase XXXX They respond on the XXXX with an email that doesn't address any of the points I brought up and once again blames me and my computer for the unauthorized activity. I respond on the same day calling them out for not reading anything and informing them that I will be filing with the CFPB due to lack of security and accountability from Coinbase. Few minutes after I then also send an email requesting the recorded phone records from Coinbase. I have yet to receive a response as their final message was received on the XXXX at XXXX, the case was closed on the XXXX at XXXX. I have several calls with them but due to my poor memory and my inability to obtain the recorded phone calls I felt it best to omit them for the time being. However, though I am unable to recall some notable phone calls, one of witch the representative read through my case and openly admitted with me that Coinbase is partially at fault for all this, and on the XXXX of XXXX I was able to verify they they are unable to reference other case numbers in their own cases. At the time of writing I have XXXX open cases, and two closed cases with Coinbase, apparently each time you call Coinbase they open a new case, I have 3 different cases that exist simply because the call dropped, 3 different cases that simply exist because I called asking for updates on my cases, and 5 open cases about unauthorized access on my account. I have uploaded 26 screenshots of every relevant email conversation I have had with Coinbase and XXXX, arranged to match the timeline presented above. Due to my poor memory and the volume of messages, it is possible that a screenshot was inadvertently uploaded twice or that one may have been omitted. I have made every effort to provide a complete and accurate record. Should one be missing, please inform me as I am more than willing to send the missing image. Also upon request I am in possession o of an audio recording involving a XXXX representative confirming that no bank was created with my name before the XXXX of XXXX.","date_sent_to_company":"2026-02-11T12:58:07.000Z","issue":"Other transaction problem","sub_product":"Virtual currency","zip_code":"99352","tags":null,"has_narrative":true,"complaint_id":"19414601","timely":"Yes","company_response":"Closed with monetary relief","submitted_via":"Web","company":"Coinbase, Inc.","date_received":"2026-02-11T12:42:43.000Z","state":"WA","company_public_response":null,"sub_issue":null},"highlight":{"complaint_what_happened":["On the <em>XXXX</em> of <em>XX/XX</em>/2026 I accidentally and unknowingly downloaded A virus and although I ran A virus scan it came back clean. On the <em>XXXX</em> of <em>XX/XX</em>/2026 I woke up to find that several accounts of mine had been compromised, specifically every one of them that had A password saved in my <em>browser</em>. After downloading Malware-bytes and running A scan it found a <em>XXXX</em>  that was disguising itself as my <em>browser</em>."]},"sort":[9.649829,"19414601"]},{"_index":"complaint-public-v1","_id":"4820401","_score":7.2554913,"_source":{"product":"Checking or savings account","complaint_what_happened":"Truist Bank will not let me access my checking accounts to pay my bills, transfer mney or even look at my balance because I will not agree to sign their Disclosure and Consent to Use Electronic Signatures and Communicationss that is pages and pages long. It looks like extortion to me. Plus they have the nerve to ask me to print this long document. Among other things the document states the following : \" Communications '' means all documents that you obtain from us that are related to your Accounts and Services. This includes, but is not limited to : Periodic, annual, monthly or other statements, including any notices related to such statements that we are required or permitted to include with the paper statements ; Terms and conditions and user authorizations, account agreements, fee schedules or other disclosures or notices that may be required by the Truth in Savings Act, Electronic Fund Transfer Act, Truth in Lending Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Gramm Leach Bliley Act, the Real Estate Settlement Procedures Act or other applicable federal or state laws and regulations ; Any notice or disclosure regarding an account, product or service fee, such as a late fee, an overdraft fee, an overlimit fee, a fee for a draft, check or electronic debit returned for any reason, such as insufficient funds fee or a fee as a result of a stop payment order ; Any notice of the addition of new terms and conditions or the deletion or amendment of existing terms and conditions applicable to accounts, products or services you obtain from us Disclosures and notices related to the maintenance or operation of your accounts, Online bill payments and payment transaction detail and payment authorizations Transaction histories, which include notices relating to fees such as overdraft fees and late fees Policies and procedures ( including our Privacy Policy ) Responses to claims and disputes, Extension and modification agreements, Tax Forms including but not limited to W9s and 1099s and tax reports related to an Account or Service, which we are permitted to deliver electronically All other communications or information related to your Accounts that we are required to provide in writing in connection with our relationship with you. \n\n\" We, '' \" Us, '' \" Our, '' \" XXXX XXXX XXXX, '' \" SunTrust, '' and \" Truist, '' means the Truist entity where your Account is held. \" You '' and \" Your '' means the person giving this consent. \n2. Scope of Consent. : By giving your affirmative consent, you agree that for all of your eligible accounts, products and services, we may electronically deliver all Communications to you and that we can terminate delivery of Communications by paper. We can also use and obtain electronic signatures from you as well as deliver Communications to you electronically for any future transactions, products, or services unless and until you withdraw your consent to use Electronic Signatures and Communications. ( See Section 1 above, for a listing of the types of documents, communications, and notices covered within the definition of \" Communication. '' ) 4. Withdrawing Consent. \n\nIn order to withdraw Consent to the Use of Electronic Signatures and Communications, you may : Call Truist at XXXX ( XXXX ) Withdrawal of consent may result in a fee or a change in a fee amount for some Accounts. Please refer to your account agreement and account fee schedule for information. We will not charge you a fee for processing the withdrawal of your consent, but your access to, and use of, certain services or account features may be terminated. \n\n5. Requesting Paper Copies. \nYou can obtain a paper copy of an electronic Communication by printing it yourself from the pdf provided or by requesting that we mail you a paper copy. We may charge you a reasonable service charge, with prior notice of any such charge, for the delivery of paper copies of any Communication provided to you electronically pursuant to this Disclosure and Consent. To request a paper copy, call Truist at XXXX ( XXXX ). \n6. Updating Your Contact Information. You agree to provide us with your accurate personal contact information and to promptly notify us of any changes. You can update your contact information ( including your email address and mobile phone number ) by contacting us at XXXX ( XXXX ). You can also update your contact information through Online Banking and our mobile application. \n\nIf you fail to update or change an incorrect or invalid e-mail address or other contact information, you understand and agree that any Communication shall nevertheless be deemed to have been provided to you if it was made available to you in electronic form on our websites, Online Banking, mobile application, or emailed to the email address we have for you in our records, or delivered through other electronic means. \n7. Hardware and Software Requirements.\n\nIn order to use electronic signatures and Communications you must have access to the following technology : A current version ( defined below ) of an Internet browser, such as XXXX, Chrome, or XXXX ; A connection to the Internet ; A current version of a program that accurately reads and displays .PDF files ; and A computer and operating system capable of supporting all of the above. You will also need a printer if you wish to print out and retain communications on paper and electronic storage if you wish to retain communications in electronic form. \nBy \" current version, '' we mean a version of the software that is currently being supported by its publisher. We reserve the right to discontinue support of a current version of software if, in our sole opinion, it suffers from a security flaw or other flaw that makes it unsuitable for use. \nYou will also need a working email account to receive, view, sign and print your Communications. To verify that you have all of the necessary hardware and software for you to use Electronic Signatures and receive electronic Communications on your devices, please verify that you were able to read this electronic disclosure and that you also were able to print on paper or electronically save this page for your future reference and access or that you were able to email this document to an address where you are able to print on paper or save it for your future reference and access. \n8. Consent to Use Electronic Signatures and Communications.\n\nBy consenting to the Use of Electronic Signatures and Communications, you hereby attest and agree that : You have read, understand, and agree to this Disclosure and Consent to Use Electronic Signatures and Communications ; You affirmatively agree to the use Electronic Signatures and Communications as described herein ; The Electronic Signatures and Communications will have the same legal effect as written and/or signed paper documents ; and You have the necessary hardware and software to view, save and print copies of Communications and to receive Communications that we send to you by email. \nYour consent to receive Communications electronically does not expire and is effective for the duration of our banking relationship. \nYou may change your electronic delivery settings at any time by visiting Online Banking or our mobile application.\n\nCommunications and disclosures provided on or with your periodic statements may contain important information and other legal disclosures concerning your accounts and you agree to review such statements in a timely manner.\n\n9. Retain Copies for Your Records.\n\nWe recommend that you print or download a copy of this Disclosure and Consent to Use Electronic Signatures and Communications, the applicable service or account agreement and all other Communications to retain for your permanent records ; if you have not already placed a copy of our Privacy Policy in your records, you can obtain a copy of our privacy notice by clicking this link. I didn't copy the entire document. As I said earlier, this is extortion. I hope you can do something about this.","date_sent_to_company":"2021-10-18T17:37:33.000Z","issue":"Managing an account","sub_product":"Other banking product or service","zip_code":"342XX","tags":null,"has_narrative":true,"complaint_id":"4820401","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"TRUIST FINANCIAL CORPORATION","date_received":"2021-10-18T16:37:59.000Z","state":"FL","company_public_response":"Company has responded to the consumer and the CFPB and chooses not to provide a public response","sub_issue":"Problem accessing account"},"highlight":{"complaint_what_happened":["We reserve the right to discontinue support of a current version of software if, in our sole opinion, it suffers from a <em>security</em> <em>flaw</em> or other <em>flaw</em> that makes it unsuitable for use. \nYou will also need a working email account to receive, view, sign and print your Communications."]},"sort":[7.2554913,"4820401"]},{"_index":"complaint-public-v1","_id":"8869145","_score":5.974833,"_source":{"product":"Credit card","complaint_what_happened":"CFPB Complaint - Unresolved Fraudulent Transaction, Insufficient Investigation, and Misinterpretation of Evidence by Chase Bank I am submitting this third complaint to the CFPB as Chase Bank has failed to satisfactorily resolve the unauthorized transaction on my credit card ending in XXXX, despite multiple disputes and evidence provided. \n\nSequence of Events : XXXX. On XX/XX/XXXX, an unauthorized transaction of {$840.00} was made by XXXX XXXX on my credit card. \nXXXX. I reported the fraud on XX/XX/XXXX, and a provisional credit was applied to my account. \nXXXX. On XX/XX/XXXX, Chase reversed the provisional credit and the fraudulent charge reappeared on my account. No proper notification was provided, and the result was only available in a hard-to-find message center on their website. \nXXXX. I called Chase on XX/XX/XXXX, to appeal the decision. The representative admitted the communication issue and reopened the investigation after I provided additional commentary. \nXXXX. I filed a complaint with the CFPB, to which Chase responded on XX/XX/XXXX, closing the case with an explanation that the XXXX address matched my records. They failed to address my additional evidence and commentary. \nXXXX. On XX/XX/XXXX, I called Chase at XXXX PM after receiving an incorrect letter stating the appeal was decided against me, despite the open CFPB complaint. The representative was unprofessional, disrespectful, and provided conflicting information about the status of the appeal. She claimed a callback would occur but it did not. \nXXXX. On XX/XX/XXXX, I opened a second CFPB dispute, providing XXXX attachments as evidence of data breaches and security risks associated with my email and Chase account. \nXXXX. On XX/XX/XXXX, Chase responded, stating that my evidence does not support my claim that my account or device was hacked. They acknowledged confusion in their own chain of command and relaying information between departments. \nXXXX. On XX/XX/XXXX, I am submitting this third CFPB dispute to address Chase 's misinterpretation of the evidence and their continued failure to resolve the fraudulent transaction. \nInsufficient Evidence and Flawed Investigation : Chase continues to rely solely on a matching IP address as conclusive evidence to deny my fraud claim. However, this is entirely insufficient, as it is a well-established fact in the cybersecurity field that IP addresses can be spoofed, and devices can be compromised to commit fraud. The bank has failed to properly consider the substantial evidence I provided, which clearly demonstrates that my information was breached, enabling the fraudulent transaction. \nI have provided four pieces of evidence that collectively prove my account was compromised : XXXX. Attachment XXXX : A PDF showing that my email, XXXX, which is associated with my Chase account, has been involved in XXXX different data breaches. This indicates that my personal information has been exposed multiple times, greatly increasing the risk of unauthorized access to my accounts. This pdf originates from the website haveibeenpwned.com a website owned an operated by XXXX XXXX and information security professional. \nXXXX. Attachment XXXX : A screenshot from XXXX XXXX, flagging my Chase account as a high-priority recommendation to change my password due to it being easily guessed and reused. The screenshot also shows XXXX security risks found in my XXXX XXXX, with the Chase account being XXXX of them. This demonstrates the clear vulnerability of my account information. \nXXXX. Attachment XXXX : A screenshot from haveibeenpwned.com, confirming that my email has been involved in XXXX data breaches, corroborating the information in Attachment XXXX. \nXXXX. Attachment XXXX : A recent virus scan of my home PC, revealing XXXX malware detections. This PC contains my passwords, including the one for the compromised Chase account, and provides access to my home IP address, which Chase claims matches the fraudulent transaction. Furthermore, my Chase credit card information is saved in my web browsers on this PC, which I routinely use to make XXXX purchases. The presence of malware on my device, combined with the fact that both my Chase account and credit card information are saved on the same compromised PC, conclusively proves that unauthorized access to my account occurred. A hacker could easily obtain my card information through remote access of the PC via the detected malware. \nXXXX. Attatchment XXXX : A pdf showing that my email, XXXX, associated with my Chase account, has been involved in XXXX data breaches, according Norton.com, a globally renown anti-virus XXXX XXXX. \nThe combination of these XXXX pieces of evidence irrefutably demonstrates that my personal information and devices were compromised, leading to the fraudulent transaction being conducted without my authorization. The fact that the unauthorized transaction originated from my home IP address is a direct result of my device being hacked, as the malware allowed the perpetrator to control my PC remotely and access my saved Chase account information. \nMoreover, the fraudulent transaction is entirely inconsistent with my historical spending patterns on this XXXX credit card. Since obtaining the card, I have exclusively used it for purchases from XXXX and XXXX XXXX, which is owned by XXXX. The fraudulent transaction, however, was made by an unknown third party, XXXX XXXX, which bears no relation to my typical use of the card. This glaring discrepancy should have been a clear red flag for Chase, prompting a more thorough investigation into the transaction 's legitimacy. \nChase 's failure to consider this inconsistency, along with the overwhelming evidence of my compromised personal information and devices, further demonstrates the inadequacy of their investigation. A competent and fair investigation, as required by Regulation E, would have taken into account my transaction history and recognized the highly unusual nature of the fraudulent charge.\n\nChase 's dismissal of this evidence and reliance on a single matching IP address demonstrate a severe lack of thorough investigation and a failure to consider the full context of the situation. The bank 's investigation appears to lack the necessary diligence and fails to consider all available evidence and circumstances. Regulatory guidance on investigating fraud under Regulation E mandates that banks conduct comprehensive investigations and not rely on a single piece of evidence, such as an IP address match.\n\nThe bank 's failure to properly evaluate the evidence I have provided and to conduct a thorough investigation is unacceptable. It is crucial that Chase takes all available information into account and considers the full context of the situation to arrive at the correct conclusion regarding the fraudulent transaction on my account. The evidence I have presented conclusively proves that the transaction was unauthorized and resulted from a breach of my personal information and devices.\n\nPoor Communication and Procedural Failures : Chase 's handling of my case has been marked by poor communication and procedural failures throughout the entire process. The bank failed to properly notify me of the initial investigation results, leaving the outcome buried in a hard-to-find message center on their website rather than providing clear, direct communication. This lack of transparency and accessibility has caused significant confusion and frustration.\n\nFurthermore, during my attempts to appeal the decision and seek resolution, I have encountered unprofessional and unhelpful representatives who have provided conflicting information about the status of my case. On XX/XX/XXXX, I received an incorrect letter stating that the appeal was decided against me, despite the fact that my CFPB complaint was still open. When I called Chase to address this discrepancy, the representative was disrespectful, accusatory, and failed to provide accurate information. They initially claimed the appeal was closed, then backtracked and stated it was still open, promising a callback that never occurred. \nThese communication breakdowns and procedural inconsistencies have not only exacerbated an already stressful situation but have also denied me a fair and transparent process, which is contrary to the consumer protection objectives of Regulation E. Chase 's own acknowledgment of confusion in their chain of command and information relay between departments further highlights the systemic issues in their handling of fraud cases.\n\nThe emotional and financial toll of dealing with this fraudulent transaction has been compounded by Chase 's poor communication and procedural failures. The bank 's inability to provide clear, consistent information and to follow through on promises made by their representatives has left me feeling frustrated, misled, and without a clear path to resolution. \nIt is unacceptable for a financial institution to subject its customers to such a lack of transparency, professionalism, and efficiency when handling sensitive matters such as fraud. Chase 's conduct throughout this process has fallen far short of the standards expected of a major bank and has caused significant harm to me as a consumer. \nRemedial Actions Requested : In light of the overwhelming evidence demonstrating the fraudulent nature of the transaction and Chase 's mishandling of my case, I am requesting the following remedial actions : XXXX. An immediate reversal of the {$840.00} fraudulent transaction and a permanent credit to my account. \nXXXX. A thorough, independent re-investigation of my fraud claim, conducted by a competent and unbiased third party, to ensure all evidence is properly considered and the correct conclusion is reached. \nXXXX. A comprehensive audit of Chase Bank 's fraud investigation practices, customer communication protocols, and staff training to identify and address the systemic issues that have led to the mishandling of my case and likely many others. \nXXXX. The implementation of stricter security measures and fraud detection systems to prevent similar incidents from occurring in the future, as well as improved communication channels and procedural safeguards to ensure customers are treated fairly and kept informed throughout the fraud resolution process. \nXXXX. Appropriate disciplinary action against the representatives who have provided misleading information, failed to follow through on commitments, and treated me with disrespect and unprofessionalism throughout this ordeal. \nLegal and Regulatory Framework : Regulation E, which governs electronic fund transfers, mandates that banks conduct thorough and fair investigations of reported errors, including unauthorized transactions. Specifically, Section 1005.11 ( c ) requires banks to promptly investigate and determine whether an error occurred within 10 business days, or 45 days if provisional credit is provided. Chase 's failure to properly investigate my claim and consider all available evidence constitutes a violation of these requirements.\n\nMoreover, the Consumer Financial Protection Act ( CFPA ) prohibits unfair, deceptive, or abusive acts or practices ( UDAAP ) by financial institutions. Chase 's poor communication, procedural failures, and dismissal of clear evidence supporting my fraud claim XXXX constitute violations of the XXXX 's XXXX provisions. \nConclusion : The evidence I have provided conclusively proves that the transaction in question was fraudulent and resulted from a breach of my personal information and devices. Chase 's failure to properly investigate my claim, consider all available evidence, and provide clear, consistent communication throughout the process constitutes a gross violation of their obligations under Regulation E and the CFPA.\n\nI urge the CFPB to take swift action to compel Chase to resolve this matter in accordance with the law and to ensure that the bank 's fraud investigation and customer service practices are brought in line with regulatory requirements and consumer protection principles.\n\nIf a satisfactory resolution is not reached promptly, I am prepared to escalate this matter further, including taking legal action and involving additional regulatory agencies and consumer advocacy groups. The gravity of Chase 's misconduct in this case demands a strong response to protect myself and other consumers from similar mistreatment. \nThank you for your attention to this urgent matter. I trust that the CFPB will take decisive action to ensure that justice is served, and that Chase is held accountable for its failures. \nSincerely, XXXX XXXX","date_sent_to_company":"2024-04-26T18:41:12.000Z","issue":"Problem with a purchase shown on your statement","sub_product":"General-purpose credit card or charge card","zip_code":"75063","tags":null,"has_narrative":true,"complaint_id":"8869145","timely":"Yes","company_response":"Closed with explanation","submitted_via":"Web","company":"JPMORGAN CHASE & CO.","date_received":"2024-04-26T18:28:32.000Z","state":"TX","company_public_response":null,"sub_issue":"Card was charged for something you did not purchase with the card"},"highlight":{"complaint_what_happened":["This pdf originates from the website haveibeenpwned.com a website owned an operated by <em>XXXX</em> <em>XXXX</em> and information <em>security</em> professional. \n<em>XXXX</em>. Attachment <em>XXXX</em> : A screenshot from <em>XXXX</em> <em>XXXX</em>, flagging my Chase account as a high-priority recommendation to change my password due to it being easily guessed and reused. The screenshot also shows <em>XXXX</em> <em>security</em> risks found in my <em>XXXX</em> <em>XXXX</em>, with the Chase account being <em>XXXX</em> of them. This demonstrates the clear vulnerability of my account information."]},"sort":[5.974833,"8869145"]}]},"aggregations":{"has_narrative":{"meta":{},"doc_count":16,"has_narrative":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":1,"key_as_string":"true","doc_count":16}]}},"product":{"doc_count":16,"product":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Credit reporting or other personal consumer reports","doc_count":5,"sub_product.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Credit reporting","doc_count":5}]}},{"key":"Checking or savings account","doc_count":3,"sub_product.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Checking account","doc_count":2},{"key":"Other banking product or service","doc_count":1}]}},{"key":"Money transfer, virtual currency, or money service","doc_count":3,"sub_product.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Mobile or digital wallet","doc_count":2},{"key":"Virtual currency","doc_count":1}]}},{"key":"Credit card","doc_count":2,"sub_product.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"General-purpose credit card or charge card","doc_count":2}]}},{"key":"Bank account or service","doc_count":1,"sub_product.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Checking account","doc_count":1}]}},{"key":"Credit card or prepaid card","doc_count":1,"sub_product.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"General-purpose credit card or charge card","doc_count":1}]}},{"key":"Credit reporting, credit repair services, or other personal consumer reports","doc_count":1,"sub_product.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Credit reporting","doc_count":1}]}}]}},"issue":{"doc_count":16,"issue":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Problem with a company's investigation into an existing problem","doc_count":4,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Their investigation did not fix an error on your report","doc_count":4}]}},{"key":"Managing an account","doc_count":3,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Problem accessing account","doc_count":2},{"key":"Problem using a debit or ATM card","doc_count":1}]}},{"key":"Problem with a purchase shown on your statement","doc_count":3,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Card was charged for something you did not purchase with the card","doc_count":3}]}},{"key":"Deposits and withdrawals","doc_count":1,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[]}},{"key":"Improper use of your report","doc_count":1,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Reporting company used your report improperly","doc_count":1}]}},{"key":"Managing, opening, or closing your mobile wallet account","doc_count":1,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[]}},{"key":"Other transaction problem","doc_count":1,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[]}},{"key":"Problem with fraud alerts or security freezes","doc_count":1,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[]}},{"key":"Unauthorized transactions or other transaction problem","doc_count":1,"sub_issue.raw":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[]}}]}},"timely":{"doc_count":16,"timely":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Yes","doc_count":16}]}},"company_response":{"doc_count":16,"company_response":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Closed with explanation","doc_count":12},{"key":"Closed with non-monetary relief","doc_count":3},{"key":"Closed with monetary relief","doc_count":1}]}},"submitted_via":{"doc_count":16,"submitted_via":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Web","doc_count":16}]}},"company":{"doc_count":16,"company":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"EQUIFAX, INC.","doc_count":3},{"key":"JPMORGAN CHASE & CO.","doc_count":3},{"key":"Paypal Holdings, Inc","doc_count":3},{"key":"CAPITAL ONE FINANCIAL CORPORATION","doc_count":1},{"key":"CREDIT ACCEPTANCE CORPORATION","doc_count":1},{"key":"Coinbase, Inc.","doc_count":1},{"key":"Experian Information Solutions Inc.","doc_count":1},{"key":"TRANSUNION INTERMEDIATE HOLDINGS, INC.","doc_count":1},{"key":"TRUIST FINANCIAL CORPORATION","doc_count":1},{"key":"UNITED SERVICES AUTOMOBILE ASSOCIATION","doc_count":1}]}},"state":{"doc_count":16,"state":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"CA","doc_count":4},{"key":"OH","doc_count":4},{"key":"TX","doc_count":2},{"key":"WA","doc_count":2},{"key":"FL","doc_count":1},{"key":"MO","doc_count":1},{"key":"NY","doc_count":1},{"key":"UT","doc_count":1}]}},"company_public_response":{"doc_count":16,"company_public_response":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"Company has responded to the consumer and the CFPB and chooses not to provide a public response","doc_count":4},{"key":"Company believes it acted appropriately as authorized by contract or law","doc_count":1}]}},"tags":{"doc_count":16,"tags":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[]}}},"_meta":{"license":"CC0","last_updated":"2026-07-14T12:00:00-05:00","last_indexed":"2026-07-14T12:00:00-05:00","total_record_count":16441818,"is_data_stale":false,"has_data_issue":false,"break_points":{}}}