Flagstar Bank customers who had their Social Security numbers stolen in a December 2021 cyberattack now have until August 11 to file claims against a $31.5 million settlement fund. The deal resolves Forman v. Flagstar Bancorp, Inc., No. 2:22-cv-10167, in the U.S. District Court for the Eastern District of Michigan, and covers an estimated 2.19 million people whose personal data was exposed during a two-day intrusion the bank did not detect for six months.
Claimants who can document out-of-pocket losses, including fraudulent charges, credit monitoring costs, and time spent fighting identity theft, may recover up to $25,000 per person. But the four-year gap between the breach and the filing deadline creates a serious practical problem: many affected customers may no longer have the records to prove what happened to them.
What happened at Flagstar
Unauthorized actors accessed Flagstar Bank’s internal network on December 3 and 4, 2021, according to a breach notification the bank filed with the Maine Attorney General’s office. The bank did not discover the intrusion until June 2, 2022. Written notices to affected consumers began going out on June 17, 2022. According to the Maine filing, Flagstar offered affected individuals complimentary credit monitoring and identity theft protection services at the time of notification.
The Maine filing confirms that Social Security numbers were among the compromised data, a detail that puts this breach in a different category than a typical email-and-password leak. The state’s disclosure lists 1,547,169 affected individuals, a figure that reflects the total count reported through Maine’s breach notification portal, which requires companies to disclose incidents regardless of where the affected consumers reside. The broader 2.19 million class figure in the federal litigation captures the full national scope.
One detail worth noting: Flagstar Bancorp was acquired by New York Community Bancorp in December 2022, and the parent company rebranded as Flagstar Financial, Inc. in 2024. The settlement addresses conduct that predates the acquisition, but customers searching for information should be aware that corporate names and contact channels have changed since the breach occurred.
What the settlement offers
The $31.5 million fund is the total pool available to all eligible claimants, based on terms described in federal court proceedings in the Eastern District of Michigan. These figures have been reported by secondary legal sources rather than drawn from a publicly linked court document, and no docket entry or order date for the preliminary approval has been identified in available records as of June 2026. Individual payouts for documented losses are capped at $25,000 per person, covering categories such as:
- Unreimbursed fraudulent charges on bank accounts or credit cards
- Costs of credit monitoring or identity theft protection services purchased after the breach
- Out-of-pocket expenses tied to resolving fraud or identity theft
- Time spent dealing with breach-related problems, typically compensated at a set hourly rate in similar settlements
The $25,000 cap is theoretical for most filers. In practice, large data breach settlements see claim rates in the single digits. When Equifax settled its 2017 breach for $425 million covering 147 million people, only a small fraction of eligible consumers submitted claims. The Flagstar fund is far smaller, but so is the class, and low participation could mean more meaningful payouts for those who file with solid documentation.
Whether the settlement includes a flat alternative payment for class members who cannot document specific losses has not been confirmed in any publicly available filing. Many comparable data breach settlements offer such an option, but until the full agreement and claim forms are posted to the court-approved settlement website, claimants should not assume one exists here.
How to file a claim
The claims deadline is August 11. As of June 2026, the specific claims portal URL has not appeared in publicly available primary documents, but affected customers should start preparing now:
- Find your breach notification letter. Flagstar mailed notices in June 2022. That letter may contain a unique ID or PIN required for filing. Check old mail, email archives, or any folder where you stored financial correspondence.
- Gather documentation. Pull together bank statements, credit card records, receipts for credit monitoring services, and any correspondence with financial institutions about fraudulent activity dating back to late 2021 or early 2022.
- Search for the settlement website. Court-approved settlement sites typically publish the full agreement, claim forms, and FAQs. Search for the case name, Forman v. Flagstar Bancorp, Inc., No. 2:22-cv-10167, Eastern District of Michigan.
- Verify your eligibility through the Maine AG’s filing. The original breach notice remains publicly accessible and can help confirm whether you were part of the affected group.
Key details that remain unconfirmed
Several factors that will shape individual payouts have not yet surfaced in publicly accessible filings. The exact payout formula, the claims administrator’s contact information, documentation standards for proving losses, and whether partial records will be accepted all remain open questions as of June 2026. Most data breach settlements include language in which the defendant denies wrongdoing while still providing compensation, but without the underlying agreement, that is an assumption rather than a confirmed fact in this case.
Why the four-year gap between breach and deadline matters most
The most significant obstacle for claimants is not the size of the fund. It is the timeline. The breach happened in December 2021. Customers were not notified until June 2022. And now, in mid-2026, they are being asked to reconstruct financial harm from more than four years ago.
That kind of delay is not unusual in data breach litigation, but it creates a real barrier for ordinary people. Bank statements from 2021 and 2022 may have been discarded or cycled out of online banking portals. Credit monitoring subscriptions purchased in a panic after the notification letter arrived may not have generated receipts that are easy to locate years later. The customers most harmed by the breach, those who spent hours on the phone disputing charges or freezing credit reports, are often the least likely to have kept a paper trail.
The Maine Attorney General’s office maintains a multi-year breach history spreadsheet that logs reported incidents across companies and sectors. Within that dataset, Flagstar stands out for both the volume of affected individuals and the length of the detection gap. Until the full settlement documents and claims process go public, the most reliable picture of this case comes from those state regulatory filings and court reporting. The confirmed facts point to a major exposure of sensitive personal data and a substantial, though finite, compensation fund. What remains to be seen is how many of the 2.19 million eligible customers can turn that opportunity into an actual check before August 11.



