Robinhood Hack Compromises Millions of Customer Email Addresses and Names

Someone recently hacked and attempted to extort Robinhood, the popular investment and trading platform, gaining access to millions of customers’ email addresses and full names in the process.

The platform revealed the security incident in a blog post published Monday, assuring users that nobody had lost any money as a result of the incident.

“An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers,” the company revealed, while emphasizing that the breach had since been contained and that there had been “no financial loss to any customers.”

The incident, which took place on Nov. 3, was apparently the result of a social engineering scheme that targeted a customer support employee. The hacker convinced the employee that they were cleared to access “certain customer support systems,” and subsequently gained access to the email addresses of approximately 5 million customers and the full names of approximately 2 million customers, the company said.

For a much smaller subset of customers, the data breach was substantially more invasive: “We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed,” the company’s blog post says.

Afterward, the criminal attempted to extort the company with the information it had stolen.

When reached for comment, a Robinhood representative confirmed to Gizmodo that no “Social Security numbers, bank account information, or debit card numbers were exposed in the breach.”

“I can also confirm that we’ve reached out to the relevant authorities,” Robinhood corporate communicates manager Casey Becker said. “We do not have any additional information beyond the blog post to share at this time.”

Robinhood says it is also currently working with Mandiant, a leading cybersecurity firm, to further investigate the incident.

In its blog post, Robinhood has pointed customers to its Account Security page. While stolen email addresses and names may not seem that bad, they can easily be weaponized by cybercriminals. Hackers often attempt to pair such data points with other personal information that they can recover via open-source or illicit means—all in the hopes of potentially compromising your personal accounts.