The popular Robinhood stock trading app suffered a critical data breach on November 3rd. According to a blog post from the company, around 7 million customers were affected, and hackers managed to obtain the full names, ZIP codes, and birthdays of around 300 people. At least ten customers lost “extensive account details” in the breach.
Thankfully, the majority of customers impacted by this data breach (5 million) only had their email addresses exposed to hackers. But around 2 million people had their full names exposed, and again, hundreds of people lost some pretty sensitive data.
Robinhood claims that a customer-support employee was tricked into giving a hacker access to internal systems. It’s a damming revelation, and it shows that Robinhood has learned very little since its 2019 data breach (which was the result of storing sensitive info in plaintext).
Will it ever end @troyhunt? Just got this email from the Robinhood investing app. I closed my account a while ago since I leavened I’m bad at investing. pic.twitter.com/YfgvU74t4x
— Austin Farley (@farleyaustin) November 8, 2021
The lack of transparency here is also frustrating. Robinhood says that the hacker (or hackers) put forth an extortion payment after stealing customer info, but the company hasn’t announced if it paid the money.
Oh, and there’s one very annoying detail to this story—Robinhood withheld its announcement until 4 PM EST. That’s when the NYSE closes. While this interesting timing may prevent people from wildly selling off stock (you should just transfer to another broker), it also means that Robinhood’s stock actually closed with a 2.6% gain today. (For what it’s worth, the stock fell 3% during after-hours trading.)
If you were impacted in this data breach, Robinhood will send you an email explaining what (if any) personal info was exposed. Either way, we suggest that all Robinhood users update their passwords. If you aren’t using unique passwords for every app or website, please download a password manager to help you get the job done right.