Robinhood Leaks the Data of 7 Million Users
Robinhood, the trading platform that became wildly popular after it launched in 2015 due to its flagship feature - "no commission" trading, reported that information on a staggering 7 million of its users has been leaked as the result of a data breach. The 7 million Robinhood customers affected by the breach comprise roughly a third of the platform's entire user base.
Robinhood announced the breach took place last week, on November 3. The attackers managed to gain access to Robinhood's data after they used what must have been some really clever social engineering. According to the statement released by the trading platform, the attack was pulled off after one of the bad actors got on the phone with a Robinhood customer service representative.
According to Robinhood the bad actor also attempted to extort money from the company in order not to leak the exfiltrated information. The contents of the leaked information vary, but the trading platform informed the public that no card numbers, social security, or bank account numbers were stolen in the breach.
The majority of customers affected by the leak have only had their email addresses leaked. However, the stolen information also contained around 2 million full real names to go with the email addresses. More specific information was extracted for a very limited number of people, considering the full scope of the breach.
Just over 300 customers had their full names, ZIP codes and dates of birth leaked. Another 10 customers had additional information related to their account leaked, but Robinhood did not specify what exactly those details were, calling them simply "more extensive".
The company is in the process of informing all affected customers personally, in order to minimize the risk of further social engineering tricks.
This attack shows once again how important it is to have reliable defenses not just on the digital front but also in your HR department. Training employees against social engineering scams, attack vectors and subtleties related to the specific information and accounts they handle is vital. The human factor can never be eliminated entirely from any organization and this sort of training will always remain essential to maintaining a high level of security.