Data breach at trading platform Robinhood exposes 7 million customer records

Sicherheit (Pexels, allgemeine Nutzung)[German]The U.S. company Robinhood Markets has confirmed a privacy incident involving the personal data of about 7 million customers. That's about a third of its users. Among other things, a cyberattacker captured emails, which could lead to follow-up attacks on Robinhood customers. The cyberattacker attempted to extort the company after gaining access to email addresses and more through social engineering of a customer service representative.

Robinhood Markets, Inc. is a U.S. financial services company that operates a website and offers mobile apps for iPhone, Apple Watch and Android. Through these options, Robinhood offers the ability to invest in stocks, ETFs, and options, and to trade crypto through Robinhood Crypto. In this statement, Robinhood confirms the cyberattack took place back on November 3, 2021.

Robinhood Announces Data Security Incident

Late in the evening of November 3, we experienced a data security incident. An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident. 

The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.

Apparently, the attacker succeeded in gaining access to the account of a customer service employee via social engineering and thus access to e-mail addresses and more. In the process, five million customer data and another 2 million customer data were captured. This involved personal data such as name, date of birth, etc. It is unclear whether access to financial data (account data) was also gained.  Bleeping Computer has published some more information here.

After the company locked out the intruder, he tried to blackmail the company. The company immediately notified law enforcement authorities and continues to investigate the incident with the help of Mandiant, an external security company.

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *