Robinhood Markets Inc. said Monday that an intruder gained access to its systems last week and made off with the personal information of millions of its users.
The trading app said in a blog post that the incident took place on Wednesday evening and that the breach has since been contained.
Email addresses for about five million Robinhood users were exposed, as were the full names of a different group of about two million users. The intruder also accessed more-extensive personal information for a subset of more than 300 users.
No Social Security numbers, bank-account numbers or debit-card numbers were exposed, and customers haven’t experienced any financial losses, Robinhood said in the blog post.
The intruder was able to gain access to Robinhood systems by impersonating an authorized party to a customer-support employee on the phone, the company said.
Robinhood said a ransom payment was demanded after the hack was contained. The company said it has informed law enforcement and continues to investigate the incident with the help of cybersecurity company Mandiant.
A Mandiant executive said in an emailed statement that the company recently observed the intruder in other security incidents and expects it to continue to “target and extort other organizations over the next several months.”
So-called voice phishing, or vishing, campaigns were the subject of a Federal Bureau of Investigation notification to businesses in January that warned that cybercriminals were targeting employees of companies world-wide. In 2020, there were about 241,000 victims of phishing, vishing and related scams, more than double the figure in 2019, according to FBI data. Victim losses from such scams totaled $54 million last year, down slightly from 2019.
With 22.4 million net funded accounts and $95 billion in assets under custody, Robinhood makes for an attractive target for malicious attacks. The company flagged in securities filings ahead of its July initial public offering that, because of the Covid-19 pandemic, there was an “increased risk that we may experience cybersecurity-related incidents as a result of our employees, service providers and other third parties working remotely on less secure systems and environments.”
New York’s Department of Financial Services has also been investigating Robinhood’s cybersecurity practices and found violations of state cybersecurity requirements at its cryptocurrency arm, Robinhood said in the securities filings. Robinhood reached a settlement with the state regulator over its conduct that includes an expected monetary penalty of $30 million and the hiring of an outside monitor, according to the filings.
The Robinhood intruder accessed a customer-service system that has struggled to keep up with the millions of new users the app has added since early 2020. The company more than tripled the number of customer-support agents on staff last year and planned to more than double their numbers again this year. In March, the company said it would spend $11.7 million and hire nearly 400 people for a new customer-support center in North Carolina.
While the Robinhood hackers largely stole information that was not particularly sensitive—customer names and email addresses—that doesn’t mean it would be useless to hackers, said Allison Nixon, chief research officer at Unit 221B LLC, a cybersecurity investigations company.
For years now, Ms. Nixon has tracked hackers who have used social-engineering techniques—typically they impersonate someone via phone or email—to trick employees into revealing sensitive information. A social-engineering attack on a company-support representative is often an early step in a broader effort to mine both stolen and public data to target and impersonate victims in future attacks, she said. “These companies are basically being used as a phone book,” she said.
The more than 300 Robinhood customers who had more information stolen are now at much greater risk of being targeted by an attack such as SIM swapping, where hackers take over their victims’ mobile-phone numbers in an attempt to break into their online accounts, she said.
This story has been published from a wire agency feed without modifications to the text