Stock and cryptocurrency trading app Robinhood said Monday that a cyber intruder hacked into the company’s systems last week and snatched the personal information of millions of users.
The attack took place on November 3, Robinhood said in a blog post. The hacker gained access to certain Robinhood customer support systems by impersonating a customer service representative over the phone—a tactic known as voice phishing.
The cyber attack affected more than seven million accounts, about a third of Robinhood users. Information exposed include:
- Email addresses for approximately five million people;
- Full names for a different group of two million people;
- About 310 people suffered loss of additional personal information, including name, date of birth and zip code;
- Ten customers had “more extensive account details revealed.”
“No social security numbers, bank account numbers, or debit card numbers were exposed,” Robinhood said, adding that no financial loss to any customers was known as a result of the incident.
Robinhood said it’s in the process of notifying affected individuals and encourages users to turn on two-factor authentication in their account security setting.
The company said a ransom payment was demanded after the incident was contained. It has informed law enforcement and hired the outside security firm Mandiant to investigate the incident.
In the S-1 filing with the SEC ahead of its IPO, Robinhood noted an increased risk of cybersecurity incidents due to remote work during the pandemic. “Due to the current COVID-19 pandemic, there is an increased risk that we may experience cybersecurity-related incidents as a result of our employees, service providers and other third parties working remotely on less secure systems and environments,” it said in the filing. “Controls employed by our information technology department and our customers and third-party service providers, including cloud vendors, could prove inadequate.