An attacker gained access to some of Robinhood’s customer support systems and stole the personal data of a third of the app’s userbase
Robinhood, the highly popular trading platform, has revealed that it suffered a cybersecurity breach on November 3rd that affected some 7 million of its users.
“An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” according to Robinhood.
The company found that a cybercriminal gained access to a number of its customer support systems after leveraging social engineering techniques during a phone call with a support agent. The attacker got their hands on the email addresses of some five million people, and on the full names of another group of circa two million people.
Additionally, a little more than 300 customers had their names, birth dates, and zip codes exposed. Robinhood also admitted that a subset of 10 customers had more extensive account information accessed; however, it did not go into any further details on the matter. The company, which has around more than 22 million users, is notifying users who have been hit by the incident.
The trading platform was able to shut down the intrusion, which didn’t sit well with the attacker, who tried to extort Robinhood demanding payment after they were locked out. The authorities were looped in and the breach is being investigated by the company.
“As a Safety First company, we owe it to our customers to be transparent and act with integrity. Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do,” said Robinhood Chief Security Officer Caleb Sima.
Information obtained from such data breaches can be a goldmine for attackers, including because it can used to commit identity theft and all manner of scams. The data can also be sold in bulk on the dark web where such personal information can fetch a pretty penny to the criminals.
RELATED READING: Cybercrime black markets: Dark web services and their prices
Earlier this year, we reached out to security consultant Alejandro Hernández, who had taken a peek under the hood of a long list of brokerage apps, to hear his thoughts about the security posture of these services, as well as about what steps traders should take to remain safe.
Additionally, ESET Chief Security Evangelist Tony Anscombe recently shared a few valuable tips for reducing the risk of falling victim to identity theft.