Robinhood hack exposed the names, email addresses of millions of customers

The trading app said in a blog post that the incident happened on Wednesday evening and that the breach has since been contained.

The email addresses of nearly five million Robinhood users were exposed, as were the full names of a separate group of nearly two million users. The intruder also accessed more extensive personal information for a subset of over 300 users.

Robinhood said in the blog post that no social security numbers, bank-account numbers or debit-card numbers have been exposed and that customers have suffered no financial loss.

The company said the intruder was able to gain access to Robinhood systems by impersonating an authorized party to a customer-support employee over the phone.

Robinhood said the ransom was demanded after the hack. The company said it has notified law enforcement and is investigating the incident with the help of cyber security company Mandient.

A Mandient executive said in an emailed statement that the company saw the intruder in other security incidents recently and expects it to continue “targeting and extorting other organizations over the next several months.”

So-called voice phishing, or Vishing, campaigns were the subject of a Federal Bureau of Investigation notification to businesses in January, which warned that cybercriminals were targeting employees of companies around the world. According to FBI data, in 2020, there were approximately 241,000 victims of phishing, vishing and related scams, more than double the number in 2019. Victims of such scams lost a total of $54 million last year, which is slightly less than in 2019.

With 22.4 million net funded accounts and $95 billion in assets, Robinhood makes it an attractive target for malicious attacks. The company flagged in a securities filing ahead of its July initial public offering that, due to the COVID-19 pandemic, “there was an increased risk that we could experience cybersecurity-related incidents as a result of our employees, service providers and other third parties.” Can work remotely on less secure systems and environments.”

Robinhood said in a securities filing that the New York Department of Financial Services is also investigating Robinhood’s cybersecurity practices and found violations of state cybersecurity requirements at its cryptocurrency arm. Robinhood settled with the state regulator over its conduct, according to the filing, which includes an expected monetary fine of $30 million and the hiring of an external monitor.

Robinhood intruders used a customer-service system that has clashed with millions of new users added to the app since early 2020. The company has more than tripled the number of customer-support agents on staff last year and plans to exceed that. Double their numbers again this year. In March, the company said it would spend $11.7 million and hire about 400 people for a new customer-support center in North Carolina.

While Robinhood hackers largely stole information that wasn’t particularly sensitive — customer names and email addresses — that doesn’t mean it would be useless to hackers, said Unit 221B LLC, a cybersecurity investigation company. Chief Research Officer Alison Nixon said.

For years now, Ms Nixon has tracked down hackers who have used social-engineering techniques – usually someone they impersonate via phone or email – to trick employees into disclosing sensitive information. . He said the social-engineering attack on a company-support representative is often just an initial step in a broader effort to mine both stolen and public data to target and impersonate victims in future attacks. “These companies are basically being used as a phone book,” she said.

More than 300 Robinhood customers who had more information stolen are now at greater risk of being targeted by attacks such as SIM swapping, where hackers take their victims’ mobile phone numbers in an attempt to break into their online accounts, he said.

This story has been published without modification to the text from a wire agency feed