Robinhood shared a formal blog post to announce the data breach. In the post, the company wrote that it experienced a data security incident on the evening of 3rd November. An unauthorized attacker “socially engineered a customer support employee by phone,” and was able to access the company’s customer support systems.
This way, the attacker was able to acquire a list of email addresses of the company’s 5 million (approx) customers. Robinhood also added that the attacker was able to access the full names of another 2 million customers, apart from the previous ones.
Additional personal information like names, dates of birth, and zip codes of a smaller group of customers, approximately 310, was exposed, and for 10 other customers “more extensive account details” were accessed by the intruder. Although the company did not mention the content of the extensive account details, a Robinhood spokesperson stated “we believe no Social Security numbers, bank account numbers, or debit card numbers were exposed.”
Following the containment of the data breach, the company came to know that the attacker planned to acquire “extortion payment” for the cyber-attack. While it did not specifically mention whether the payment was made or not, Robinhood notified the relevant law enforcement authorities.
The company sought the help of a third-party security company Mandiant to investigate the situation. While the company investigates the unfortunate incident, any worried customers can go to the help center of the company’s website to know whether their accounts have been affected by the breach or not.