Two things to rotate when a Plaid secret harvests bank data

Plaid aggregates users’ linked bank accounts, and your app calls it with a client secret plus per-user access tokens, the Items. The principal is that credential set, not a user login, and the data is about as sensitive as it gets.

How the attack works

The attacker calls the Plaid API using the app’s client_id and client_secret and the stored access tokens from a server identity never seen for your backend. The session iterates the Items, calling balance and transactions endpoints across many linked accounts, then enumerates auth and identity endpoints for account, routing, and account-holder detail. The harvested financial records are posted out to an external host in batches. In ATT&CK terms this is T1078, Valid Accounts, with T1567, Exfiltration Over Web Service.

Why it works

The Plaid credentials were broadly scoped, long-lived, and reusable from anywhere because they were not vaulted or restricted by egress, and stored access tokens were not protected.

How to fix it

Plaid calls are authorized by the client secret plus the access tokens, so containment is two-part: rotate the client_secret and invalidate or rotate the affected access tokens so the stolen credentials can no longer call the API. End-user password resets and IP blocks do not touch either, and asking users to re-link while the keys stay valid leaves the attacker pulling. Scope which users were hit from the Plaid API request logs joined with backend logs, since the full Item list is only capability. As a class fix, vault and rotate credentials out of code, request only the Plaid products you need, restrict API egress, encrypt stored tokens, and monitor per-Item access rates.

Practice it

We built this as a GraphLattice Range scenario so teams can rehearse rotating the client secret, invalidating the Items, and scoping which users’ data was pulled.