A cybercriminal used social engineering techniques to access the personal data of approximately seven million Robinhood customers before demanding an extortion payment from the online trading platform.
Approximately five million Robinhood customers had their email addresses accessed while a separate group of some two million people had their full names exposed.
More seriously, around 310 people had their name, date of birth and zip code accessed by the “unauthorised third party”. Of this group, 10 customers had “more extensive account details revealed”. Robinhood did not elaborate on what those details were but said no Social Security numbers, bank account numbers or debit card numbers were compromised.
The US-based financial services firm said in a statement that the “data security incident” took place on 3 November. The attacker “socially engineered” a Robinhood customer support employee over the phone to gain access to customer support systems. Social engineering is a form of psychological manipulation commonly employed by cybercriminals to gain access to sensitive information. This could see an attacker impersonating an IT support agent to convince an employee to provide a login and password.
Robinhood said it has contacted law enforcement and that cybersecurity firm Mandiant is also investigating the data breach. The retail investor app said it is in the process of notifying affected customers.
“As a safety-first company, we owe it to our customers to be transparent and act with integrity,” said Robinhood chief security officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”
Jake Moore, cybersecurity specialist at ESET, said the Robinhood data breach “should not be taken lightly” and that customers should be wary of the increased risk of phishing emails.
“The more information that is stolen in a breach, the more manipulative and authentic-looking phishing emails tend to be,” the former Dorset Police digital forensics officer added. “When such emails are coupled up with ‘proof’, such as date of birth or address, it can be that much more powerful in the call-to-action, which is often a further click to divulge even more information – often financial.”
Founded in 2013, Robinhood provides commission-free stock, ETF and cryptocurrency trading via its mobile app. The Menlo Park, California-headquartered company went public in July 2021 in an IPO that gave it a $32bn valuation.
The company’s shares fell by 3.1% in after-market trading on Monday following the news of the data breach.
In 2019, Robinhood admitted to storing some customers’ passwords in cleartext instead of encrypting them. However, there was no evidence at the time that any passwords were improperly accessed.
The company found itself at the centre of the retail investment wave in early 2021, with members of the Reddit group r/wallstreetbets using the Robinhood app to pump up the price of GameStop shares and other so-called “meme stocks” to short squeeze institutional backers who had bet on those stocks failing. Robinhood, along with other retail brokers, restricted the trading of certain stocks and faced backlash and lawsuits from retail investors.
The company was fined $70m in July by the US Financial Industry Regulatory Authority over outages in March 2020 and for sending “false or misleading information” to its customers.
According to GlobalData’s intelligence centre, Robinhood has made two acquisitions since 2019.