Robinhood admits to storing some passwords in cleartext

Issue is now resolved and the company is emailing affected customers and recommending a password reset.

robinhood app

Image: Robinhood

Stock trading service Robinhood has admitted today to storing some customers' passwords in cleartext, according to emails the company has been sending to impacted customers, and seen by ZDNet.

"On Monday night, we discovered that some user credentials were stored in a readable format within our internal system," the company said.

"We resolved the issue, and after thorough review, found no evidence that this information was accessed by anyone outside our response team."

Robinhood is now resetting passwords out of an abundance of caution, despite not finding any evidence of abuse.


Image via Michael Gogel (supplied)

A company spokesperson told ZDNet via phone call that not all Robinhood users were impacted, but could not reveal the exact number. We were told the issue is believed to be resolved, and passwords are now being hashed using the Bcrypt algorithm, according to a help page.

On Monday, the same day that Robinhood devs were discovering the plaintext passwords issue, the company announced it had raised $323 million in a Series E funding round, bringing the company's value at $7.6 billion, around 35% higher than the previous valuation.

Robinhood is in select company

Storing passwords in cleartext is a huge security blunder; however, Robinhood is in "good company." This year alone, Facebook, Instagram, and Google have all admitted to storing users passwords in cleartext.

Facebook admitted in March to storing passwords in cleartext for hundreds of millions of Facebook Lite users and tens of millions of Facebook users.

Facebook then admitted again in April to storing passwords in cleartext for millions of Instagram users.

Google admitted in May to also storing an unspecified number of passwords in cleartext for G Suite users for nearly 14 years.

And, a year before, in 2018, both Twitter and GitHub admitted to accidentally storing user plaintext passwords in internal logs.

Robinhood is a web and mobile service with a huge following, allowing zero-commission trading in classic stocks, but also cryptocurrencies.

More data breach coverage: