Robinhood has revealed that it experienced a security breach incident on November 3rd, which exposed the data of as many as 7 million users or around a third of its userbase. The bad actor, the financial services company said, obtained the email addresses of 5 million people and the full names of a different group of around 2 million customers. In addition, the infiltrator managed to steal additional personal information of 310 users, including their name, date of birth and zip code. More extensive account details were exposed for 10 customers among those 310.
No Social Security numbers, bank account numbers or debit card numbers were exposed in the incident, Robinhood said, but it's still making the appropriate disclosures to the affected customers. The company, which allows users to make commission-free stock and crypto trades, said it had already contained the attack. Upon cutting the hacker's access off, the attacker demanded payment for the stolen data and made threats on what they would do with the information if they weren't paid.
A Robinhood spokesperson told Bloomberg that it wasn't a ransomware attack, but they also declined to say if they paid up — and if so, how much money changed hands. In its blog post, the company explained that the perpetrator used social engineering techniques on a phone support rep to obtain access to certain customer support systems. Robinhood said it informed law enforcement about the breach and that it had secured the services of security firm Mandiant to investigate the incident. Charles Carmakal, Mandiant's CTO, told Bloomberg that this could just be the start of a series of breaches. Apparently, the firm expects the attacker to target and extort other companies and organizations over the coming months.