Robinhood has disclosed a security breach incidence which took place “late in the evening of November 3” and affected over 7 million customers eventually resulting in unauthorized access of personal information by an unidentified threat actor.
They have however stated that the attack has been contained and no Social Security, bank account numbers or debit card numbers were exposed nor any financial loss to customers as a result of the incident.
The hacker socially engineered a customer service representative to gain access to internal support systems, using it to obtain the email addresses of five million users, full names for a different group of about two million people, and additional information such as names, dates of birth, and zip codes for a limited set of 310 more users.
See: How Hackers Infiltrate Companies Through The Customer Service Desk
The infiltrator is said to have also taken steps to demand an extortion payment in exchange for the stolen data, which prompted the firm to involve law enforcement authorities in the matter. we are however not clear if the ransom demands were met and the amount paid if any.
Robinhood has gone on to state that the list of email addresses also included previously deactivated accounts but due to Robinhood’s term, this is done in order to comply with regulations requiring them to preserve certain books and records.
“We take the security of all collected data extremely seriously, and we don’t intend to use this data for anything beyond the fulfillment of our regulatory requirements,” the company points out in a support page.
Robinhood users are recommended to visit Help Center > My Account & Login > Account Security to secure their accounts with two-factor authentication.