The popular trading app Robinhood has suffered a major security breach.
In a statement on its website, the company said the incident took place on Nov. 3.
“An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers,” the statement said.
“Based on our investigation, the attack has been contained, and we believe that no Social Security numbers, bank account numbers or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.
“The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems,” the statement continued.
The statement said the extent of the information stolen varied.
“At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people and full names for a different group of approximately two million people,” the statement said.
The statement said that for 310 people “additional personal information, including name, date of birth and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed.”
The statement claimed that after the company “contained the intrusion, the unauthorized party demanded an extortion payment.”
“We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm,” the statement explained.
“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” Robinhood Chief Security Officer Caleb Sima said. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”
“Financial services firms are huge targets because there are always new customers coming: a refresh of identities, a refresh of credentials,” said Bob Rudis, chief data scientist at the cybersecurity firm Rapid7 Inc., according to Bloomberg. “Everyone talks about ransomware, but credentials and identities are still things being sold on the dark web and criminal forums. It’s very valuable data.”
Mandiant Chief Technology Officer Charles Carmakal said Robinhood “conducted a thorough investigation to assess the impact.”
He expects the intruder will keep targeting other organizations.
TechCrunch noted that the company will have some work to do in its operations.
“Whatever lacking security controls that allowed a hacker to trick a Robinhood customer service representative into granting them access to an internal system is a likely focus for its investigation,” the site reported.
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.