[renewiltord]

Do they actually? My provider only lets me edit those details (with a low quality preview of first 4 digits and a CC icon). Interesting that yours makes those visible to you. You literally can't get those out of my provider. The data doesn't make it out.

[drewkim]

This is also what we've encountered so far...though it's probably safe to assume at least a few providers have looser security protocols.

[zomglings]

Other billing information is always available such as:

- Am I behind on my power bills? By how much?

- How many credit cards do I have on file and how many are expired?

Such information is still sensitive even if it doesn't leak full credit card numbers.

Also, anyone who has ever used City of Palo Alto Utilities should probably fear for their credit card information.

[renewiltord]

I think if your threat model involves that being risky, it's probably best not to use Plaid/Pelm/Arcadia. My threat model and that of any users I can imagine is not in that realm.

[zomglings]

I don't use Plaid and as a result I also don't use services like Brex which are impossible to use if you reject Plaid.

[renewiltord]

Seems consistent with your threat model. Good work.