Robinhood said Monday that the popular trading app suffered a security breach last week where hackers accessed some personal information of roughly 7 million users then demanded a ransom payment. The online trading platform said it believes no Social Security numbers, bank account numbers or debit-card numbers were exposed and that customers have seen no financial losses because of the intrusion. The company on Twitter said the “attack has been contained.” For the vast majority of affected customers, the only information obtained was an email address or a full name. For 310 people, the information taken included their name, date of birth, and ZIP code. Of those, 10 customers had “more extensive account details revealed,” Robinhood said in a statement. The hack started with a phone call to customer support, according to the statement. The hacker relied on social engineering to convince an employee to provide “access to certain customer support systems,” Robinhood said. The company added that it is in the process of “making appropriate disclosures to affected people.”
Robinhood said that after it contained the intrusion, “the unauthorized party demanded an extortion payment.” The company said it notified law enforcement and is investigating the incident with the help of the security firm Mandiant. More than 22 million users have funded accounts at Robinhood, with nearly 19 million actively using theirs during September. Robinhood shares fell 3.2% in pre-market trading.
Mandiant Chief Technology Officer Charles Carmakal said Robinhood “conducted a thorough investigation to assess the impact” and that his firm expects the intruder to continue to target and extort other organizations over the next several months.
In a separate episode last year, almost 2,000 Robinhood accounts were compromised in a hacking spree, where customer accounts were looted. Some complained there was no one available to call.