Alleged security breach leaves millions of dollars missing from Flutterwave accounts
Last month, Flutterwave, Africa’s largest startup by private valuation, was involved in a hack that resulted in more than ₦2.9 billion (~$4.2 million) missing from its accounts, according to local tech publication Techpoint Africa.
According to the documents seen by the publication and reviewed by TechCrunch, unknown actors transferred the funds across 28 accounts in 63 transactions in early February. Police investigations are ongoing as Flutterwave, via legal counsel and law enforcement parties, has filed a motion and seeks to freeze accounts across 27 financial institutions that interacted with the missing funds, Techpoint Africa reported.
Several tweets regarding the alleged hack have also come up over the weekend. Some provided information about the hack, while others complained about frozen accounts that might be related to the hack. According to Techpoint Africa, the motion filed that 107 accounts, including the fifth beneficiaries of those accounts, are to be placed on lien/Post-No-Debit (PND). This directive restricts bank customers from withdrawing funds from their accounts.
The cause and method of the attack remain unclear. However, one of the postulations from online commentary is that the hack might have been socially engineered, meaning that merchants’ keys were compromised, allowing the hackers to access the monies in their Flutterwave accounts.
Meanwhile, Flutterwave, via a statement on the matter, has denied that it was hacked:
At Flutterwave, we understand that our customers’ personal and financial information is of the utmost importance. We take this responsibility seriously and understand that any potential security breach can cause anxiety and concern among our customers. We want to reassure you that Flutterwave has not been hacked. As a financial institution, we monitor transactions through our transaction monitoring systems and 24-hour fraud desk and review any suspicious activity. We collaborate with other financial institutions and law enforcement agencies to keep our ecosystem safe and secure.
During a routine check of our transaction monitoring system, we identified an unusual trend of transactions on some users’ profiles. Our team immediately launched a review (inline with our standard operating procedure), which revealed that some users who had not activated some of our recommended security settings might have been susceptible.
We want to confirm that no user lost any funds, and we take pride in the fact that our security measures were able to address the issue before any harm could be done to our users.
Our commitment to keeping our users’ financial information safe and secure is why we invest heavily in security initiatives such as periodic audits, certifications, and licenses such as the PCI-DSS & ISO 27001. These are in line with global best practices in information security management.
We want you to continue to trust us and feel secure in using Flutterwave for your business needs. Our commitment is to enable your business growth while keeping your financial information safe and secure.
You may have recently heard some claims on Flutterwave's security. We want to assure you that Flutterwave has not been hacked, and no customer funds were lost.
Thank you for choosing us 🦋
Read more here 🙏🏾: https://t.co/a27ZIy0w1k pic.twitter.com/o3KfChucJ9
— Flutterwave (@theflutterwave) March 5, 2023
This is a developing story...