Robinhood Markets said personal information of about 7 million people – or roughly a third of its customers – was compromised in a data breach last week and that the culprit demanded payment.
The intruder obtained email addresses of about 5 million people, as well as full names for a separate group of about 2 million, Robinhood said. For some customers, even more personal data was exposed, including names, birth dates and ZIP codes of about 310 people, and more extensive information belonging to a group of about 10.
The Menlo Park, California-based brokerage said it believes no Social Security, bank account or debit-card numbers were exposed during the November 3 incident, nor that customers incurred financial losses.
The hacker made threats about what would be done with the compromised information, although it wasn’t a ransomware attack, according to a Robinhood spokesperson, who declined to say whether the firm paid the perpetrator.
The attack hinged on a phone call with a customer service representative, whom the intruder used to gain access to support systems, Robinhood said. The company said it contained the breach, notified law enforcement and enlisted security firm Mandiant to investigate.
Mandiant chief technology officer Charles Carmakal said Robinhood “conducted a thorough investigation to assess the impact” and that his firm expects the intruder to continue to target and extort other organisations over the next several months.
In a separate episode last year, almost 2,000 Robinhood accounts were compromised in a hacking spree, where customer accounts were looted. Some complained there was no one available to call.
Since then, the company has been working to demonstrate that it’s a reliable brokerage for new investors. Executives often repeat the maxim that Robinhood is a “safety first” company.
The firm, which helped popularize free trading, went on a hiring binge for customer-service staff, more than tripling the size of that team in 2020. The brokerage opened offices in Arizona, Texas and Colorado as part of its expansion. It unveiled 24/7 phone support last month.