Robinhood Reveals Data Breach and Extortion Shakedown7 Million Customers' Names and Email Addresses Stolen via Social Engineering Attack
Financial services firm Robinhood Markets says an attacker has gained access to its customer support system, stolen account details for 7 million people and then attempted to extort the company.
Robinhood, which is based in Menlo Park, California, offers commission-free trading of stock, funds and cryptocurrency.
The company, in a Monday blog post, says the attacker tricked a customer support employee over the phone on Wednesday, which led to the attacker gaining "access to certain customer support systems."
The attacker obtained email addresses for 5 million people and full names for a "different group" of 2 million people, Robinhood says.
More personal information and data, meanwhile, were also stolen, albeit for a smaller number of customers. For 310 individuals, this stolen data included their name, birthdate and ZIP code. A group of 10 customers also had "more extensive account details revealed," but Robinhood did not specify the precise information stolen by the attacker.
"Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident," Robinhood says.
Robinhood didn't describe the attacker's extortion demand.
The company says it has alerted law enforcement authorities to the incident and brought in digital forensics firm Mandiant to investigate.
Reached for comment on Monday, Robinhood shared a statement attributed to Mandiant's CTO, Charles Carmakal, saying that his investigators had "recently observed this threat actor in a limited number of security incidents, and we expect they will continue to target and extort other organizations over the next several months."
What is the risk posed to Robinhood customers by this data breach? If the email addresses are publicly exposed or sold, it will leave them at heightened risk of being targeted with phishing emails. Such illicit communications often attempt to trick message recipients into divulging their account credentials, for example, by routing them to a fake look-alike site designed to harvest credentials. Another common phishing tactic is to disguise the message as a legitimate communication that instructs a recipient to open a malicious attachment or visit a malicious site that is designed to infect their system with malware.