Robinhood announced that its popular app suffered from a data breach resulting in the leak of names, email addresses, and other information of more than 7 million users.
In a statement on Monday, Robinhood said that they discovered the incident on November 3, saying that an “unauthorized third party” has managed to obtain the personal information of millions of Robinhood customers. The company confirmed that no SSN, bank account details, or credit card information was exposed.
“The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people,” the company said.
Robinhood admitted to the fact that during the attack, information regarding 7 million customers have been leaked, and they have been informed via email. The breach leaked emails addresses of about 5 million customers, with full names and DOBs leaked of about 2 million customers.
During the press release, Robinhood also indicated that the breach may have leaked names, zip codes, and dates of birth of around 310 people and “account details” of roughly 10 customers. The company ensured that no bank account details or credit card information is believed to be exposed.
Robinhood data breach exposed 7 million customers https://t.co/F0cj7y4YIE
— CNET (@CNET) November 8, 2021
Robinhood also said that the cybercriminals behind the attack threatened the company and demanded “an extortion payment.” They have not confirmed if they have paid the ransom, but Robinhood has contacted law enforcement agencies and hired a cybersecurity firm Mandiant.
Mandiant Chief Technology Officer Charles Carmakal, in a statement to Bloomberg, said that they believe cybercriminals behind the attack will “continue to target and extort other organizations over the next several months.”
Robinhood was fined by the US Financial Industry Regulatory Authority in July for causing harm to millions of customers as a result of system failures including a major outage in March 2020. They have also been accused of sending “false and misleading information” to customers.
The company then filed to go public and the data breaches came just three months after its first public offering. The same trend continued in recent data breaches, following the Twitch data breach in October, and the T-Mobile data breach in September.
Bob Rudis, Chief Data Scientist at Rapid7 said that Robinhood was a victim of a cyberattack back in 2020 as well, in an interview with ZDNet. He also said that most organizations focus on ransomware attacks, while these traditional data breaches exposing names, email addresses, and metadata can be equally harmful. He says that such information is used in identity theft and phishing campaigns.
Rudis also recommended RobinHood customers be extra careful and use unique passwords for their cloud apps. It’s also recommended to enable MFA on your accounts to strengthen security.