Robinhood very quietly announces data breach that affected millions

More than five million email addresses were stolen from Robinhood’s servers last week, the company revealed in a blog post. The trendy stock-trading app unknowingly handed over approximately two million customer names as well.

The attacker in this situation seems to have taken an untraditional route to hack Robinhood’s systems. Rather than exploiting vulnerabilities in the company’s servers, the third party managed to “engineer” a customer support employee over the phone to gain access to this information.

The breach has been contained, now, as far as Robinhood knows. The company says the attacker demanded ransom in exchange for the stolen information, and Robinhood immediately contacted law enforcement about the incident. It’s still under investigation with help from a cybersecurity firm called Mandiant.

This data breach could’ve been much, much worse than it is, especially because Robinhood accounts contain lots of banking information. No money was stolen in the hack, and it seems no one’s social security numbers have been obtained, either.

Some have it worse — Most of Robinhood’s customer base — about two-thirds of it — is completely unaffected by this breach. Of that remaining third, the vast majority only had their email addresses and/or full names stolen. This information can be used to target people with malicious attacks like phishing scams, but email addresses are relatively minor, as far as data breaches go. Seven million people, on the other hand… that doesn’t exactly seem “limited,” in the way Robinhood seems to believe it is.

A much smaller contingent of users did have more information stolen, though. The unauthorized third party did end up revealing the names, dates of birth, and zip codes of about 310 customers. And about 10 customers had “more extensive account details” stolen, too. Robinhood says it’s in the process of letting these customers know their info has been compromised.

Not even an email? — Robinhood is trying to keep this breach as quiet as possible (which isn’t super quiet when millions of people are affected). The company posted news of the attack on its official blog, but all the Robinhood social media channels have been conspicuously silent about the event.

As someone with an account myself, I would’ve expected to receive an email or in-app notification about this, at the very least — but it’s been radio silence instead. It seems customers have been left to dig up this information on the company blog. Direct communication is paramount in a situation like this, both in keeping users safe and in building trust.

This, unfortunately enough, doesn’t come as much of a surprise. Robinhood has pulled some pretty shady moves this year, like suddenly locking down trades of GameStop and AMC stock during their big meme surges. That alone was enough to put Robinhood in legal hot water and send customers packing.

Data breaches are increasingly difficult to avoid, though ones involving employees are somewhat rare. We can only hope Robinhood spruces up its security protocols in response — and cross our fingers that maybe someday the company learns how to better communicate with its customers.