Fintech startup Revolut has confirmed it was hit by a highly targeted cyberattack that allowed hackers to access the personal details of tens of thousands of customers.
Revolut spokesperson Michael Bodansky told TechCrunch that an “unauthorized third party obtained access to the details of a small percentage (0.16%) of our customers for a short period of time.” Revolut discovered the malicious access late on September 11 and isolated the attack by the following morning.
“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected,” Bodansky said. “Customers who have not received an email have not been impacted.”
Revolut, which has a banking license in Lithuania, wouldn’t say exactly how many customers were affected. Its website says the company has approximately 20 million customers; 0.16% would translate to about 32,000 customers. However, according to Revolut’s breach disclosure to the authorities in Lithuania, first spotted by Bleeping Computer, the company says 50,150 customers were impacted by the breach, including 20,687 customers in the European Economic Area and 379 Lithuanian citizens.
Revolut also declined to say what types of data were accessed but told TechCrunch that no funds were accessed or stolen in the incident. In a message sent to affected customers posted to Reddit, the company said that “no card details, PINs or passwords were accessed.” However, the breach disclosure states that hackers likely accessed partial card payment data, along with customers’ names, addresses, email addresses and phone numbers.
The disclosure states that the threat actor used social engineering methods to gain access to the Revolut database, which typically involves persuading an employee to hand over sensitive information such as their password. This has become a popular tactic in recent attacks against a number of well-known companies, including Twilio, Mailchimp and Okta.
But Revolut warned customers of phishing emails, and urged customers to be careful when receiving any communication regarding the breach. The startup advised customers that it will not call or send SMS messages asking for login data or access codes.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
As a precaution, Revolut has also formed a dedicated team tasked with monitoring customer accounts to make sure that both money and data are safe.
“We take incidents such as these incredibly seriously, and we would like to sincerely apologize to any customers who have been affected by this incident as the safety of our customers and their data is our top priority at Revolut,” Bodansky added.
Last year Revolut raised $800 million in fresh capital, valuing the startup at more than $33 billion.
September 22: Updated to correct the date of the breach.
