Over the last few years, millions of people have flocked to apps like Robinhood to trade stocks and cryptocurrencies, seemingly drawn by the commission-free nature of these services. However, that has also made them attractive targets for hackers who are hunting for sensitive user data.
Robinhood is one of the most popular companies in the financial services industry, so it shouldn’t surprise anyone that malicious actors are constantly probing its security defenses in the hopes of getting access to precious financial information about the platform’s users.
The company says it suffered a security breach earlier this month that targeted its database and led to user data being leaked to an “unauthorized third party.”
If you’re using the service, you may have received an email letting you know about the incident, which was discovered on the evening of November 3 and led to the personal information of no less than 7 million users being exposed. The good news is that Robinhood found no evidence of hackers getting access to bank account numbers, debit and credit card numbers, or Social Security numbers. The company also says that no customers have suffered any financial loss as a result of the attack.
Apparently, the unauthorized third party didn’t have to jump through significant hoops to perform the attack. Instead, the person or the group in question “socially engineered a customer support employee by phone.” This allowed them to get a list of email addresses for 5 million users and full names for a separate group of 2 million users.
For around 310 people, the attackers were able to dig deeper for additional personal information, including the date of birth, zip codes, and more. Ten people had their accounts compromised in a more extensive way, but the company maintains that no sensitive information was exposed.
Robinhood says the unauthorized third party was seeking an “extortion payment,” which prompted the company to notify law enforcement and enlist the help of security firm Mandiant for a thorough investigation of the incident.
In the meantime, the company recommends that users beware of email phishing scams that could impersonate Robinhood or other companies. But more importantly, you should use two-factor authentication and chat only with verified profiles on social networks.