Robinhood breach leaks information of 7 million people

Names, email addresses and in some cases, the DOBs and zip codes, of Robinhood customers were exposed.
Written by Jonathan Greig, Contributor

Robinhood announced that it's popular app has suffered a breach, exposing millions of email addresses, names and more.

In a statement released on Monday, Robinhood said it discovered the incident on the evening of November 3, explaining that an "unauthorized third party" managed to obtain their customers' personal information. 

The company was quick to say that no Social Security numbers, bank account numbers, or debit card numbers were exposed. 

But they admitted that about 7 million people had some amount of information leaked in the attack. The customers affected have been emailed. 

"The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people and full names for a different group of approximately two million people," the company said. 

"We also believe that for a more limited number of people -- approximately 310 in total -- additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people."

Robinhood said the cybercriminal threatened them and demanded "an extortion payment." They did not say if they paid the sum but noted that they contacted law enforcement and hired cybersecurity firm Mandiant. 

"As a Safety First company, we owe it to our customers to be transparent and act with integrity," said Robinhood chief security officer Caleb Sima. "Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do."

Mandiant Chief Technology Officer Charles Carmakal told Bloomberg that they believe the people behind the attack will "continue to target and extort other organizations over the next several months."

Robinhood was fined $70 million in July by the US Financial Industry Regulatory Authority for causing "significant harm" to "millions of customers" for a number of systematic failures, including major outages in March 2020, as well as "false or misleading information" sent to customers from the company. 

For Robinhood customers interested in learning more about how their accounts are kept safe, the company suggested heading to the app and looking through the "Account Security" section. 

Bob Rudis, the chief data scientist at Rapid7, told ZDNet that RobinHood was a victim of an attack back in 2020, and he noted that once a company has been a target, they tend to remain on hit lists. This is particularly true for wildly successful financial services startups like Robinhood, he added. 

While many organizations have affixed their gazes on ransomware, traditional cybercriminal enterprises continue to pilfer coveted identify information from individuals who likely have -- or aspire to have -- significant financial assets. This core information -- name, email address, and other metadata -- are used in highly targeted (and, far too often successful) phishing campaigns and identity theft campaigns, making all exposed potential extended victims of the core attack," Rudis said. 

"Anyone who is a RobinHood customer should be extra vigilant and ensure they have unique passwords across their cloud application portfolio and MFA enabled on all of them (anyone who uses any non-trivial internet service that doesn't support MFA should cease using said service(s) and strive to be as safe as possible as they can online). These attacks persist against all financial services firms, and it only takes one misstep to fall prey to clever, targeted campaigns."

Editorial standards