RobinHood, a Menlo Park-based American financial services company known for pioneering commission-free trades of stocks, exchange-traded funds, and cryptocurrencies via a mobile app, has been hacked.
According to a statement released in the evening on November 8th, the email addresses of approximately five million RobinHood users have been obtained by an unauthorized third party. Additionally, the full names and physical addresses of two million app users have also been accessed by cybercriminals.
The attackers also managed to steal personal information, including the full name and date of birth, and zip code of hundreds of RobinHood users. Additionally, the hackers might have been after particular accounts, as approximately ten RobinHood users had revealed even more extensive account details.
According to the statement released by the stock-trading app, Social Security Numbers and banking information was not leaked during the cyber incident. They also said that the incident has not yet caused any financial loss for app users. However, all affected users are currently receiving notifications by RobinHood that hackers might have accessed their details.
The cybercriminals demanded ransom, but RobinHood did not comply with the hackers’ demands. The intrusion was first discovered on November 3rd and was immediately resolved. RobinHood has been evaluating the damages over the last few days.
Currently, the origin of the attack remains unknown. Many believe that the attack might have come from overseas, but there is no definitive information if the attack came from Russia, Iran, nor Norht Korea. According to the Robinhood statement, the criminals socially engineered a customer support employee by phone and managed to obtain access to specific customer support systems.
This is not the first time RobinHood has become a victim of a cyber-attack. Two years ago, the app administrators sent emails to affected customers admitting that RobinHood has been storing customer passwords in cleartext and readable form across their internal systems accessed by hackers. At the time, RobinHood refused to disclose the number of people affected by the breach.
RobinHood invited its userbase interested in keeping their account safe to visit the app and go to Help Center > My Account & Login > Account Security. They also highlighted that they would never include a link to access users’ accounts in a security alert.