Stock and crypto trading platform, Robinhood, has revealed that they have suffered a “security incident” where an unauthorized third party obtained access to personal information about their customers. Robinhood confirmed the attack in a recent blog post and stated that the attack occurred on the evening of November 3.
The company has downplayed the attack, saying that it “has been contained and that no Social Security numbers, bank account numbers, or debit card numbers were exposed.” However, they also confirmed that at least five million email addresses were stolen and another two million records with full names. A smaller cache of customers, 310 according to Robinhood, may have had more data stolen, such as name, date of birth, and zip code. Even more extensive data may have been breached for 10 Robinhood customers.
The unauthorized party has made a ransom demand, but it cannot be confirmed if any payment has been made to them. Robinhood has outsourced the investigation to Mandiant, a leading cyber security firm.
Initial investigations indicate that the attacker staged a social engineering attack against an internal customer support employee and then obtained access to customer support systems.
Robinhood is in the process of informing customers that may have been affected by the breach.
“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood Chief Security Officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”