Investment app Robinhood: Extortionist tricked our support desk and made off with customer information

Robinhood, Robinhood, had a data leak. Robinhood, Robinhood, infosec was weak

Investment app Robinhood has revealed an extortionist accessed its internal systems and siphoned off customer data after tricking a support desk worker.

“Late in the evening of November 3, we experienced a data security incident,” starts a Monday night advisory by the Silicon-Valley-based financial upstart. It continues:

An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers … The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems.

“Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” it adds.

But other data was obtained by the miscreant, namely:

  • Approximately five million customer email addresses;
  • Full names of a different group of two million people;
  • Name, date of birth, and zip code for 310 people;
  • "More extensive account details" for ten people.

"After we contained the intrusion, the unauthorized party demanded an extortion payment," Robinhood disclosed. The biz "promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant."

And that's all the info Robinhood has released for now.

The Register fancies that whoever got in was able to have a good rummage around inside Robinhood. How else to explain the four different types of data leak the post reveals?

Robinhood's schtick is providing commission-free trades in securities, cryptocurrencies, and exchange-traded funds, with an app that brings a video game aesthetic to investing, plus an easy-to-use website. The biz positions itself as demystifying investment and democratising wealth-building – a Robin Hood that lets users into Wall Street's closed club.

But the upstart has a poor record on the infosec and resilience fronts. In 2019 it admitted storing some passwords in plaintext, and in 2020 experienced an outage it blamed on a DNS infrastructure swamped by interest.

Robinhood has even been fined for providing inaccurate information to investors – one of whom took his own life after the app's UI led him to believe he was $750,000 in the hole from an options trade.

In early 2021 the company's fee-free services saw it become a vehicle of choice for netizens who sought to profit from a short squeeze of GameStop and other meme stocks.

Berkshire Hathaway CEO Warren Buffett and vice-chairman Charlie Munger both criticized Robinhood over its role in the GameStop mania.

Buffet labelled Robinhood an organisation that taps into people's desire to gamble, rather than facilitating wealth-building. Of the GameStop frenzy, Munger opined that it was "just God awful that something like that would draw investment from civilized men and decent citizens".

Of course 91-year-old Buffet and 97-year-old Munger are the epitome of the Wall Street billionaire elite Robinhood suggests it wants to supplant. ®

Other stories you might like

  • Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

    Meet the new boss

    A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

    Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

    The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

    Continue reading
  • Aircraft can't land safely due to interference with upcoming 5G C-band broadband service

    Expect flight delays and diversions, US Federal Aviation Administation warns

    The new 5G C-band wireless broadband service expected to rollout on 5 January 2022 in the US will disrupt local radio signals and make it difficult for airplanes to land safely in harsh weather conditions, according to the Federal Aviation Administration.

    Pilots rely on radio altimeter readings to figure out when and where an aircraft should carry out a series of operations to prepare for touchdown. But the upcoming 5G C-band service beaming from cell towers threatens to interfere with these signals, the FAA warned in two reports.

    Flights may have to be delayed or restricted at certain airports as the new broadband service comes into effect next year. The change could affect some 6,834 airplanes and 1,828 helicopters. The cost to operators is expected to be $580,890.

    Continue reading
  • Canadian charged with running ransomware attack on US state of Alaska

    Cross-border op nabbed our man, boast cops and prosecutors

    A Canadian man is accused of masterminding ransomware attacks that caused "damage" to systems belonging to the US state of Alaska.

    A federal indictment against Matthew Philbert, 31, of Ottawa, was unsealed yesterday, and he was also concurrently charged by the Canadian authorities with a number of other criminal offences at the same time. US prosecutors [PDF] claimed he carried out "cyber related offences" – including a specific 2018 attack on a computer in Alaska.

    The Canadian Broadcasting Corporation reported that Philbert was charged after a 23 month investigation "that also involved the [Royal Canadian Mounted Police, federal enforcers], the FBI and Europol."

    Continue reading

Biting the hand that feeds IT © 1998–2021