Robinhood suffers data breach exposing information of millions of customers
Breach followed a social engineering attack on a support employee
Popular stock trading platform Robinhood Markets disclosed on Monday that it suffered a data breach last week when hackers accessed personal details of about 7 million customers and demanded a ransom payment.
The firm revealed in a blog post that the incident occurred on 3rd November after the perpetrators called a customer support employee and tricked them with social engineering techniques to obtain access to certain customer support systems.
The unauthorised access allowed the cyber criminals to obtain a list of email addresses for about 5 million customers and full names for another group of about 2 million people.
For a limited number of people, about 310 in total, the information compromised included their names, date of birth and ZIP code.
Moreover, 10 customers had "more extensive account details revealed", the firm said, without explaining further.
Based on its investigation, Robinhood believes no bank account details, social security numbers or debit card numbers were exposed. Customers have seen no financial loss as a result of the breach, it added.
After the intrusion was contained, the hackers demanded an extortion payment.
The Menlo Park, California-based firm said it "promptly" informed law enforcement, although it did not say whether it paid any ransom to hackers.
The company is investigating the breach with the help of the cyber security firm Mandiant.
Robinhood offers a popular mobile app for trading cryptocurrency, stocks, and more. More than 22 million users have accounts at Robinhood, of which nearly 19 million users actively used the platform during September 2021, according to the company.
"As a Safety First company, we owe it to our customers to be transparent and act with integrity," Robinhood's chief security officer Caleb Sima said.
"Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do."
The company said it is in the process of informing affected users directly. It also advised customers to visit the "Account Security" portion of its "Help Center" for more information on keeping their personal data secure.
The data breach is thought to be the largest suffered by Robinhood, although it not the first.
Last year, cybercriminals reportedly stole customer funds after infiltrating nearly 2,000 accounts at Robinhood.
The firm said at that time that the attack did not stem from a beach of its internal systems as hackers targeted customers whose email addresses had already been compromised outside of Robinhood.
Commenting on the fact that in the latest breach the attackers were able to get into the systems thanks to a mistake by a single operative, Chris Deverill, UK director at Orange Cyberdefense, said: "The latest cyberattack on Robinhood is a stark reminder of the critical need for organisations to adopt a layered security strategy that includes the increasingly critical aspect of defending against human error."