On Friday, Jan 10 at 5:30PM Pacific, our account was compromised by a hacker who called Square Support and convinced them to turn off 2FA on our account. The hacker then changed the email address on the account, and other details, and started executing fradulent charges. And, as a result, they logged our all of our POS systems, disabling our business from using the POS.

If someone has your account owner email address, password, social security and date of birth, they can ask Square Support to disable 2FA and compromise your account.

This is a MAJOR security mistake on the Square Support and operations team. Had 2FA not been disabled, the hacker would not have been able to compromise our account. Luckily, we caught the issue in time, and after many calls over the weekend, were able to restore access to our account, analyze the damage, and rectify the damage caused.

I have yet to be called back by a manager on the Account Services team, to conduct a retrospective of this security breach.

I am so upset, and amazed, that despite us taking the proper steps to secure our account, Square Support directly compromised us. WOW.

Posting to warn others.

1. Update your password. Use something objectively strong generated by a password manager. Change the password from time to time
2. Call Square Support and ask them to add a flag / controls on your account to prevent any agent from making changes to your account, such as disabling 2FA. (!!!!)