IOTW: Robinhood hit by scam exposing millions of customer data points

US investment app Robinhood has confirmed it was the subject of a hack that exposed the data of seven million customers.

The company said that a “data security” incident occurred on 3 November 2021 during which an unauthorized third party obtained access to a limited amount of personal information for a portion of its customers.

Robinhood has carried out an investigation into the hack and said it believed that no US social security numbers were obtained, or that any bank account numbers or debit card numbers were exposed, and that there was no financial loss to any customers as a result of the incident.

Customer data compromised

The hacker was able to obtain a list of five million email addresses and the full names of a separate group of two million people.
A limited number of people, around 310, saw additional personal information exposed while 10 people had more extensive account details revealed, the company said.

The incident happened when the unauthorized party “socially engineered a customer support employee by phone and obtained access to certain customer support systems”.

The unauthorized party then demanded an extortion payment. In response, Robinhood prompted law enforcement and brought in Mandiant, a cyber security firm, to help investigate the incident.

Charles Carmakal, SVP and CTO, Mandiant, told Cyber Security Hub: “Robinhood quickly contained the security incident and conducted a thorough investigation to assess the impact.”

The type of attack faced by Robinhood was by no means unique and, according to Carmakal, will likely happen again.

“Mandiant has recently observed this threat actor in a limited number of security incidents and we expect it will continue to target and extort other organizations over the next few months,” Carmakal remarked.

Previous issues faced by the company

Launched in 2015, Robinhood aims to allow ‘everyday people’ access to the US stock market. It became a publicly listed company in July 2021.

The incident does not mark the first time Robinhood has been hit by an information security issue. In 2019 the company revealed that it had stored several its user passwords in plaintext, rather than encrypting them.

In March 2020 the company experienced an outage and trading on its platform became temporarily unavailable, which it claimed was due to stress on its infrastructure which failed to keep up with the unprecedented load. That in turn led to a “thundering herd” effect which triggered a failure of its DNS system.

Robinhood has previously published guides for how customers can keep their accounts secure and said that it automatically secures all of its accounts with Trusted Devices, such as two-factor authentication (2FA). In July 2021, the company said its best defence was through its “informed, vigilant customers”.