Hacker Tricked Robinhood Support Into Revealing Data Of 5 Million Users

from the whoops-a-daisy dept

When it comes to privacy and security, the weakest link continues to be of the human variety.

Trading app Robinhood last week announced in a blog post that somebody used social engineering to trick company support into handing over user login data. On November 3, said "hacker" convinced company support they were cleared to access “certain customer support systems.” From there they nabbed the email addresses of five million users, and the full names of a different group of two million users:

"At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people."

Another subset of users had far more sensitive data exposed to the intruder. 310 users had their full names, dates of birth and ZIP codes exposed to the intruder, and 10 customers had "more extensive account details revealed" -- though the company doesn't specify which details they were. The company insists that no social security numbers were revealed and that nobody suffered any financial losses related to the attack:

"Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident."

By "no financial loss" Robinhood means none of their users had money stolen directly via Robinhood. That doesn't mean those users won't suffer financial losses elsewhere, after being bombarded with phishing emails over the next few months using the email addresses, or compromised via the release of other personal data used elsewhere.

As with most revelations of this type, the scope of the breach is probably significantly bigger than what's currently understood. Also like most such breaches, nobody will remember it happened three months from now, and Robinhood won't be held meaningfully accountable for its exploitable customer service. In a country where most companies have lax security and privacy standards, there's no meaningful privacy law for the internet era, and FTC privacy enforcers that are routinely understaffed, under-funded, and simply outgunned, there's simply not very much incentive to make security and privacy a real priority.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, customer support, emails, hacker
Companies: robinhood


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    JoeCool (profile), 15 Nov 2021 @ 10:50am

    Future contact

    Come on! You can trust us - Robinhood gave us your info, and you trust them, right?

    link to this | view in chronology ]

  • identicon
    Cherie Fovnottingham, 15 Nov 2021 @ 1:53pm

    Muhahhahahahahahah

    Avenged at last I am, Robin of Loxley.

    link to this | view in chronology ]

  • icon
    Khym Chanur (profile), 15 Nov 2021 @ 2:13pm

    On November 3, said "hacker" convinced company support they were cleared to access “certain customer support systems.”

    So did the attacker take over an existing employee account and then trick a sysadmin into granting that account more privileges? Or was it something really stupid like "I have no employee account, so use Teamviewer/LogMeIn/etc to let me take over your session and use your account"?

    link to this | view in chronology ]

    • icon
      Lord Lidl of Cheem (profile), 15 Nov 2021 @ 7:47pm

      Re:

      You'd need some pretty specific knowledge of the internal workings and structures of their systems to know what to ask for though. I cant help but feel this was less about the millions of records and more about the ten - smokescreen anyone?

      link to this | view in chronology ]

      • icon
        That Anonymous Coward (profile), 15 Nov 2021 @ 11:46pm

        Re: Re:

        No you don't.

        mental drift net engage
        Robinhood had NO Customer Service for a very long time.
        After a couple lawsuits & bad publicity where there were suicides because the platform told young investors they were on the hook for ridiculous amounts of money & well no one was bothering to get back to the panicked emails from these users who believed what was on their screen, not understanding it wasn't actually reality (which is a lesson everyone should learn about the market).
        Then the very large blackeye of saving hedgefunds from stonks investors destroying them with GameStop stock, by just stopping trades, undoing trades, & suddenly inventing "rules" to protect the investors that only seemed to really help the Hedgefunds not crash.

        They did a PR blitz, suddenly had a CSR team. Training optional, because it was basically mean to be like IT support with various tiers of CSR's that exist to make sure the few skilled helpers (that Robinhood promoted but were as available as the Loch Ness Monster to most customers) remained elusive.

        We take your privacy seriously, but only now that we've been caught with our pants down. If we had hired a slightly more expensive CSR team maybe we could have avoided this but our stock price mattered more at the time.

        Besides there is no real penalty to us in this, tacking more credit monitoring on what already exceeds the consumers life span is cheap. There is no will in government to hold us accountable, and consumers have short memories. We'll invent some great PR stories about an underdog getting rich & we'll double our user base.

        link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.