TLDR
Plaid settled a $58M class action in 2022 (98 million eligible class members) over allegations that its Link interface mimicked bank login screens to capture credentials, then used those credentials to access up to five years of transaction data beyond what users intended to share. Post-settlement changes include OAuth migration, improved disclosures, and a data deletion portal. What hasn't changed: Plaid still processes 500M+ transactions daily via Enrich and continues training ML models on aggregated data.
What Plaid Was Actually Alleged to Have Done
The lawsuit — In re Plaid Inc. Privacy Litigation, filed in the Northern District of California — did not allege a breach or a hack. It alleged a design decision.
Plaid’s Link product, the authentication interface used when you connect a bank account to a finance app, displayed login screens styled to look like your bank’s login page. The Chase-branded window, the Wells Fargo-branded window — these were Plaid’s creation, not Chase’s or Wells Fargo’s. Users believed they were logging directly into their bank. They were logging into a Plaid interface.
Using the credentials collected through this interface, Plaid accessed transaction data going back up to five years, more than most users would have understood they were authorizing, and more than the specific finance app they were connecting typically needed.
TD Bank filed a separate complaint in October 2020, alleging Plaid specifically mimicked TD’s trademark green color scheme to dupe TD customers into entering credentials. Plaid denied the allegations in both cases.
The $58M settlement received final approval in 2022. The 98 million eligible class members could submit claims for a share of the settlement fund. Plaid denied any wrongdoing but agreed to significant changes in practice.
What Changed Post-Settlement
OAuth migration: The most technically significant change. OAuth-based authentication means the bank generates a limited-permission token rather than Plaid storing your actual credentials. You log into your bank’s actual interface (not a Plaid facsimile), authorize the connection, and the bank gives Plaid a token. The token is revocable and scoped.
Data minimization: Plaid now commits to only retaining data necessary for the authorized use. The settlement required deletion of credentials and excess transaction data that had been collected beyond user authorization.
Improved disclosures: The Link interface now more clearly identifies that Plaid (not the bank, not the app) is receiving the authentication and the data access. Users see Plaid branding rather than a bank-branded screen designed to obscure the intermediary.
my.plaid.com: A consumer data portal where any user can see every app connected to their accounts via Plaid, revoke individual connections, and delete their stored Plaid data. This was a settlement requirement. It’s useful: it reveals connections you may have forgotten about and provides direct revocation at the aggregator layer, not just within individual apps.
What Didn’t Change
Plaid processes enormous amounts of financial transaction data. That is its business.
Plaid’s Enrich product provides ML-enriched transaction data — categorization, merchant identification, spending pattern analysis — built on the aggregated transaction data from its entire user base. This is not data sold to third parties, but it is data used to train and improve commercial products.
Plaid’s privacy policy prohibits selling transaction data. The data use that does occur — aggregation for product improvement, ML training — happens within Plaid’s systems rather than being licensed externally. Whether that is an acceptable data use is a judgment call, but it’s different from Yodlee’s hedge fund subscriptions.
The credential-stuffing risk also remains, though reduced. MX’s technical documentation has acknowledged that “the only type of attack most aggregators are truly vulnerable to is credential stuffing” — where attackers use credentials leaked from other breaches to gain access to aggregated financial data. OAuth migration reduces the attack surface but does not eliminate the risk entirely.
The TD Bank Suit and Design Deception
The TD Bank lawsuit, filed October 2020, was narrower but illustrative. TD alleged that Plaid deliberately replicated TD’s trademark green color scheme and interface design to make Plaid’s credential capture screen appear to be TD’s own login page. The suit alleged “duping” — not a technical attack, but a design decision to induce credential entry.
This case underscores that the core concern was interface deception, not infrastructure vulnerability. Users were not hacked; they were misled about who they were giving their credentials to.
CFPB 1033: The Rule That Would Have Addressed This
The CFPB’s Section 1033 rule, finalized October 2024, would have mandated OAuth-based API access for all covered financial institutions and prohibited selling consumer data collected under data access authorization. It would have made mandatory across the industry what the Plaid settlement imposed on Plaid specifically.
In October 2025, a federal court issued an injunction blocking the rule. The rule is currently under reconsideration. The consumer protections it would have provided are not in force.
What to Look for in a Finance App
The Plaid settlement changed Plaid’s practices. It did not change the underlying question of what any given app does with your data once it receives it from the aggregator.
The checklist for evaluating a finance app’s data practices:
Aggregator: Does the app use Plaid, MX, Finicity, Yodlee, or direct bank APIs? The aggregator’s data practices layer underneath the app’s.
App’s own privacy policy: Does it explicitly prohibit selling transaction data to third parties? “We don’t share your data” is different from “we don’t sell your data” — the former can include sharing with advertising partners.
Business model: Subscription-funded apps have no commercial incentive to monetize user data externally. Ad-supported or free apps generate revenue through other means — financial product referrals, analytics products, or advisory upsells.
SOC 2 Type II: An independent security audit confirming that the app’s security controls operate as described. Most reputable apps have this; it’s the baseline, not a differentiator.
Data deletion: Can you delete your account and have your data removed? Is there a documented timeline? The my.plaid.com portal is Plaid’s answer to this — the app you use should have its own equivalent.
Q&A
What was the Plaid class action lawsuit about?
In re Plaid Inc. Privacy Litigation (N.D. Cal.) alleged that Plaid's Link interface displayed fake bank-branded login screens that led users to believe they were authenticating directly with their bank. Users entered their banking credentials into what appeared to be their bank's login page — but were actually entering them into a Plaid-controlled interface. Plaid then used those credentials to access up to five years of transaction data, more than users intended to authorize. TD Bank filed a separate suit (October 2020) alleging Plaid used TD's trademark green color scheme to dupe TD customers. The $58M class action settled in 2022; Plaid denied the allegations.
Q&A
What did the Plaid settlement require?
The settlement required Plaid to: delete previously collected credentials and excess transaction data; implement data minimization — only collecting data users explicitly authorize; improve disclosures in the Plaid Link interface so users understand they're authorizing Plaid (not just the app) to access their data; and provide a data portal (my.plaid.com) where users can view all apps connected via Plaid and delete their stored data. Plaid also committed to accelerating its OAuth migration — moving from credential storage to token-based authentication.
Q&A
Is Plaid safe to use now after the settlement?
Plaid's security and privacy practices improved post-settlement. The OAuth migration — away from credential storage toward token-based access — is the most meaningful technical change. As of September 2024, Plaid reports 80% of traffic on or committed to APIs. Plaid holds SOC 2 Type II and ISO 27001 certifications, encrypts data with AES-256 at rest and TLS in transit, and explicitly prohibits selling transaction data in its current privacy policy. The remaining risk is data retention: Plaid still holds significant transaction data for ML model training (its Enrich product) and the scope of that data use warrants reading the current privacy policy before deciding.
Q&A
Can I delete my Plaid data?
Yes. Go to my.plaid.com — Plaid's consumer portal — to see every app connected to your financial accounts via Plaid, revoke individual app authorizations, and delete your stored financial data from Plaid's systems. This portal was a direct requirement of the settlement. Deleting data through my.plaid.com is separate from disconnecting an app within the app itself — the portal lets you revoke access at the Plaid layer, which is more thorough.