Robinhood Data Breach Affects 7 Million Users
Late on Wednesday evening last week, a Robinhood customer support employee received a phone call from an unknown perpetrator who socially engineered his way into some of Robinhood’s customer support systems. The cybercriminal managed to steal a list containing the email addresses of approximately five million people. On top of that, he accessed a list with the full names of a different group of approximately two million people. In total, about a third of Robinhood’s customers have been affected. The unauthorized party then demanded an extortion payment to not disclose the breach. Robinhood promptly notified law enforcement instead. “We owe it to our customers to be transparent and act with integrity,” said Robinhood Chief Security Officer Caleb Sima in a blog post. “Following a diligent review, putting the Robinhood community on notice of this incident now is the right thing to do.”
Only a Limited Amount of Information Exposed
Depending on the systems accessed, data with various levels of detail was stolen. Robinhood believes that only a limited number of people—approximately 310 in total—had additional personal information exposed, including their names, birth dates, and zip codes. A subset of approximately 10 customers had “more extensive account details” revealed. The company believes that the cybercriminal was not able to obtain any social security numbers, bank account numbers, or debit card numbers. Moreover, none of their customers incurred financial losses as a result of the security incident.
Investigation Is Ongoing
Robinhood has contained the incident and reported it to the authorities. The company is now in the process of notifying affected customers. They advise users to be extra vigilant for phishing scams and to check the security settings of their accounts. “If you are a customer looking for information on how to keep your account secure, please visit Help Center > My Account & Login > Account Security. When in doubt, log in to view messages from Robinhood—we’ll never include a link to access your account in a security alert.” Robinhood is investigating the incident with the help of Mandiant, a division of the leading cybersecurity firm FireEye. The same firm also helped Colonial Pipeline with their ransomware incident back in May 2021.
Not A First
Stanford University roommates Vladimir Tenev and Baiju Bhatt founded Robinhood in 2013. The company’s mission is to “provide everyone with access to the financial markets, not just the wealthy”. This idea stemmed from witnessing the issues in the financial industry during the 2011 Occupy Wall Street protests. Though Wednesday’s breach is Robinhood’s biggest security incident, it’s not their first. In 2019, the broker-dealer admitted to storing sensitive data in plaintext across their internal systems. Although Robinhood found no evidence that anyone outside their team had accessed this information, a year later hackers compromised almost 2,000 Robinhood user accounts. The most tragic incident, however, is the case of the University of Nebraska student Alexander E. Kearns. The 20-year-old committed suicide in June 2020 after seeing a negative cash balance of US$730,000 in his Robinhood margin trading account. He mistakenly believed that he had lost that money in a risky bet. The day after Alex took his life, he received an automated email from Robinhood. The message explained that the trade had been resolved and he didn’t owe them any money.