Robinhood, a trading platform, said Monday that personal data for over 7 million customers was accessed in a November 3rd data breach. In a press release, the company stated that no Social Security numbers, bank account numbers or debit card numbers were compromised and that no customers suffered any "financial losses" as a result.
Robinhood stated that an unidentified third party "socially engineered" a customer service employee by telephone and was able access the company's customer support systems. An attacker obtained email addresses for about 5 million people, and full names for another 2 million. Additional personal information was revealed for a smaller number of people (about 310), including their names and dates of birth.
The company didn't provide any further details about those "extensive" details, but a spokesperson for The Verge stated that while 10 customers were not specifically targeted, they believed that "no Social Security numbers or bank account numbers nor debit card numbers were exposed." However, the spokesperson did not say whether any customers were targeted, but that it was working to notify those affected.
Robinhood chief security officer Caleb Sima stated that "Following diligent review, it is the right thing for us to put the entire Robinhood community onto notice of this incident now," in a statement.
Robinhood stated that the attacker sought an "extortion" payment. The company informed law enforcement, but didn't say whether any payments had been made. Robinhood called on Mandiant, an outside security firm, to assist it in investigating the incident. Charles Carmakal (CTO of Mandiant) stated in an email to The Verge that the company had "recently observed [this threat actor] in a limited amount of security incidents, but we expect them to continue to target other organizations over several months." He didn't elaborate.
Customers looking for information on whether their accounts have been affected should visit the help section of the company's site.
Robinhood has had a difficult 2021. In January, Robinhood stopped trading after Redditors caused a spike in the prices of meme stocks like AMC Theaters and GameStop. These incidents led to a hearing in Congress where CEO Vlad Tenev and Reddit CEO Steve Huffman testified, as well as trader Keith Gill (aka RoaringKitty).
According to Bloomberg data, the company's July debut on the Nasdaq stock exchange was the worst among 51 US companies that had raised more money than Robinhood. Robinhood stated in its S-1 that it had acknowledged the findings of the SEC Enforcement Division inquiry. The United States Attorney's Office for Northern California had also executed a search warrant for Tenev's cell phone.