Robinhood says a hacker who tried to extort the company got access to data for 7 million customers


Personal information for more than 7 million consumers was accessed during a data breach on November 3rd, according to trading site Robinhood. According to the company, no Social Security numbers, bank account information, or debit card details were disclosed, and no customers have suffered “financial loss” as a result of the issue.

According to Robinhood, an unauthorised third party “socially engineered a customer support employee by phone” and gained access to its customer support infrastructure. The attacker was able to obtain a list of around 5 million email addresses as well as the full names of another 2 million persons.

Additional personal information, such as names, dates of birth, and zip codes, was exposed for a smaller group of roughly 310 persons, and “more extensive account details” were released for about 10 users.

The firm did not elaborate on what those “extensive” facts were, but in answer to a query from The Verge, a representative said that “we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed” even for those 10 clients.

The company claimed it was in the process of alerting people who had been affected, but the representative declined to disclose whether any of the clients had been deliberately targeted in the attack.

“Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do,” Robinhood chief security officer Caleb Sima said in a statement.

Robinhood claimed the unauthorised third party demanded a “extortion payment” after it was able to contain the assault, and the business alerted law police, but it did not indicate whether it had made any payments. As part of its investigation, Robinhood has enlisted the aid of outside security firm Mandiant.

In an emailed comment to The Verge, Mandiant’s CTO Charles Carmakal stated the company has “recently observed this threat actor in a limited number of security incidents,  and we expect they will continue to target and extort other organizations over the next several months.” He didn’t go into any further detail.

Customers who want to know if their accounts were affected should go to the company’s website’s help centre.