Robinhood has revealed that the online platform experienced a data security incident on 3 November 2021.
An unauthorized third party obtained the information of a number of clients, Robinhood reported. The company, however, believes that the issue has been contained and that no Social Security numbers, bank account numbers, or debit card numbers have leaked. Robinhood also noted that its clients have not suffered any financial loss resulting from the attack.
Robinhood detailed that the attackers socially engineered a customer support employee by phone gaining access to certain customer support systems.
According to the official statement, the attackers obtained a list of email addresses for five million people and a list of the full names of two million other people. Additional personal information, such as name, date of birth and zip code for 310 people also leaked, as well as a subset of 10 customers had more extensive account details exposed. The company noted that it is currently contacting the affected parties.
The attackers have demanded an extortion payment, however, Robinhood has notified law enforcement and is continuing with its investigation of the incident. An outside security firm Mandiant’s help has been enlisted
Robinhood Chief Security Officer Caleb Sima, said:
As a Safety First company, we owe it to our customers to be transparent and act with integrity. Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.