Follow RT on Scandal-hit investment platform Robinhood has revealed that the personal data of millions of its customers was exposed by a “data security incident” after an extortionist “socially engineered” a customer support staffer last week.
In a blog advisory on Monday, the Silicon Valley-based company disclosed that the “unauthorized third party” had convinced the employee over the phone to give them access to “certain customer support systems.”
During the data breach, which occurred on November 3, the attacker got hold of some five million users’ email addresses and obtained the full names of an additional two million people.
The intruder also apparently accessed additional personal details, including names, dates of birth, and address ZIP codes for a smaller group of 310 people. Meanwhile, the company said “more extensive account details” of 10 customers were taken – but it did not specify what those details were.
According to Robinhood, the criminal then demanded an extortion payment for the stolen information. The blog post noted that the attack had been “contained.” The firm said “no Social Security numbers, bank account numbers, or debit card numbers” were exposed by the breach and believes there has been “no financial loss” to any customer as a result.
Although the hackers apparently made threats about what they would do with the information, a company spokesperson told Bloomberg that it was not a ransomware attack. The unnamed representative also declined to comment on whether the firm ended up paying the attackers.
Robinhood corporate communications manager Casey Becker told tech news outlet Gizmodo that the company has “reached out to the relevant authorities.” The blog post noted that law enforcement agencies were aware of the incident while the firm is “continuing to investigate the incident with the help of [cybersecurity company] Mandiant.”
The company has a spotty record when it comes to customer account safety. Last year, almost 2,000 accounts were compromised in a hack that reportedly saw customer funds being siphoned out. Meanwhile in 2019, the firm said that a security lapse had potentially exposed improperly stored customer passwords and other credentials.
Earlier this year, Robinhood faced a congressional hearing after investors sued the firm over “market manipulation” for freezing a frenzied Reddit-led trading campaign on so-called meme stocks like GameStop and AMC Theaters. The company had termed the move a “risk-management decision” and denied that it was influenced by its links to major financial companies.
If you like this story, share it with a friend!