Stock trading service Robinhood has admitted today to storing some customers' passwords in cleartext, according to emails the company has been sending to impacted customers, and seen by ZDNet.
"On Monday night, we discovered that some user credentials were stored in a readable format within our internal system," the company said.
"We resolved the issue, and after thorough review, found no evidence that this information was accessed by anyone outside our response team."
Robinhood is now resetting passwords out of an abundance of caution, despite not finding any evidence of abuse.
A company spokesperson told ZDNet via phone call that not all Robinhood users were impacted, but could not reveal the exact number. We were told the issue is believed to be resolved, and passwords are now being hashed using the Bcrypt algorithm, according to a help page.
On Monday, the same day that Robinhood devs were discovering the plaintext passwords issue, the company announced it had raised $323 million in a Series E funding round, bringing the company's value at $7.6 billion, around 35% higher than the previous valuation.
Robinhood is in select company
Storing passwords in cleartext is a huge security blunder; however, Robinhood is in "good company." This year alone, Facebook, Instagram, and Google have all admitted to storing users passwords in cleartext.
Facebook admitted in March to storing passwords in cleartext for hundreds of millions of Facebook Lite users and tens of millions of Facebook users.
Facebook then admitted again in April to storing passwords in cleartext for millions of Instagram users.
Google admitted in May to also storing an unspecified number of passwords in cleartext for G Suite users for nearly 14 years.
And, a year before, in 2018, both Twitter and GitHub admitted to accidentally storing user plaintext passwords in internal logs.
Robinhood is a web and mobile service with a huge following, allowing zero-commission trading in classic stocks, but also cryptocurrencies.
2018's worst cryptocurrency scams, cyberattacks (in pictures)
More data breach coverage:
- Marriott faces $123 million GDPR fine in the UK for last year's data breach
- Hackers breach FSB contractor, expose Tor deanonymization project and more
- Bulgaria's hacked database is now available on hacking forums
- Hackers breach 62 US colleges by exploiting ERP vulnerability
- Slack resets passwords for 1% of its users because of 2015 hack
- Pale Moon says hackers added malware to older browser versions
- A hacker assault left mobile carriers open to network shutdown CNET
- 90% of data breaches in US occur in New York and California TechRepublic