Personal information of 7 million Robinhood customers were exposed.
Robinhood disclosed that its popular app had suffered a breach, affecting around 7 million customers which resulted in unauthorized access of personal information by an unidentified threat actor.
The commission-free stock trading and investing platform confirmed that no Social Security numbers, bank account numbers, or debit card numbers were exposed.
The 7 million people had some amount of information leaked in the attack and all the affected customers have been emailed regarding the breach.
According to Robinhood, the unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. The unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people.
Additional personal information, including name, date of birth, and zip code of around 310 more people were also exposed. Out of which at least 10 customers have had their “extensive account details” revealed. However, the company did not provide further details about what those “extensive” details were.
Robinhood stated that the cybercriminal threatened them and demanded “an extortion payment.” The company did not reveal whether they paid the sum and they contacted law enforcement and hired cybersecurity firm Mandiant.
Mandiant Chief Technology Officer Charles Carmakal said that they believe the people behind the attack will continue to target and extort other organizations over the next several months.
The RobinHood customers are advised to be extra vigilant and make sure to use unique passwords across their cloud application and MFA enabled on all of them.