Late in the evening of November 3, Robinhood experienced a data security incident, involving an unauthorized third party obtaining access to a limited amount of personal information for some of its customers. Based on the company’s investigation, the attack has been contained with no Social Security numbers, bank account numbers, or debit card numbers exposed. The platform claims that its customers haven’t suffered any financial loss.
How did the data breach happen and how many Robinhood customers were affected?
Apparently, an unauthorized third party “socially engineered a customer support employee by phone and obtained access to certain customer support systems.” As a result, a list of email addresses for approximately five million people, and full names for a different group of approximately two million people were obtained. Additional personal information for 310 other people was also exposed, including name, date of birth, and zip code. More extensive account information was taken from 10 other customers. Robinhood says they are currently working on making appropriate disclosures to the affected individuals.
The intruders demanded an extortion payment
After Robinhood “contained the intrusion,” the cybercriminals demanded an extortion payment. The company informed law enforcement and are currently investigating the incident with cybersecurity firm Mandiant.
“As a Safety First company, we owe it to our customers to be transparent and act with integrity. Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do,” said Robinhood Chief Security Officer Caleb Sima.
What to do, if affected?
“If you are a customer looking for information on how to keep your account secure, please visit Help Center > My Account & Login > Account Security. When in doubt, log in to view messages from Robinhood—we’ll never include a link to access your account in a security alert,” Robinhood added.