A data breach at Robinhood has exposed the personal information of 7 million users
Personal information for more than 7 million consumers was accessed during a data breach on November 3rd, according to trading site Robinhood. According to the company, no Social Security numbers, bank account information, or debit card details were disclosed, and no consumers have suffered “financial loss” as a result of the issue.
According to Robinhood, an unauthorized third party “socially engineered a customer care employee by phone” and gained access to its customer support infrastructure. The attacker was able to obtain a list of around 5 million email addresses as well as the full names of another 2 million persons. Additional personal information, such as names, dates of birth, and zip codes, was exposed for a smaller group of roughly 310 persons, and “more complete account details” were released for about 10 users.
The firm did not elaborate on what those “extensive” facts were, but in answer to a query from The Verge, a representative said that “we think that no Social Security numbers, bank account numbers, or debit card numbers were disclosed” even for those 10 clients. The company claimed it was in the process of alerting people who had been affected, but the representative declined to disclose whether any of the clients had been deliberately targeted in the attack.
“Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do,” Robinhood chief security officer Caleb Sima said in a statement.
Robinhood claimed the unauthorized third party demanded an “extortion payment” after it was able to contain the assault, and the business alerted law to police, but it did not indicate whether it had made any payments. As part of its investigation, Robinhood has enlisted the aid of outside security firm Mandiant. In an emailed comment to The Verge, Mandiant’s CTO Charles Carmakal stated the company has “recently identified this threat actor in a small number of security events, and we expect them to continue to target and extort other enterprises over the next several months.” He didn’t go into any further detail.
Customers who want to know if their accounts were affected should go to the company’s website’s help center.