Our #remitly account was hacked and $5000 was stolen. They bypassed multifactor authentication (SMS code), #remitly did not detect or notify us of the hack. We did not receive any notification when the criminal attacker logged in from another country.
All of this points to huge flaws in Remitly. We are in contact with the security department.
ByPass Multifactor Authentication
Even if they did a brute force attack, guessed or somehow stole the password, there was two-factor authentication enabled. The criminal was able to get into the #remitly account without us getting an SMS authentication code.
No Notification Of Location Change
They logged in from another country and we did not get a notification of this. If someone is logging in from a place that is not from where you typically login from, there should be (at the least) a notification of this deviation in behavior.
No Notification of Suspicious Activity
We had three different accounts attached to #remitly. They made 1000USD duplicate accounts on a credit card. When they attempted to do the same thing on a debit card, the bank flagged the transaction based on the location of where the money was being sent and duplicate transactions. They were able to remove money from third bank account. Remitly did not detect this suspicious activity.