Investment app Robinhood: Extortionist tricked our support desk and made off with customer information
Robinhood, Robinhood, had a data leak. Robinhood, Robinhood, infosec was weak
Investment app Robinhood has revealed an extortionist accessed its internal systems and siphoned off customer data after tricking a support desk worker.
“Late in the evening of November 3, we experienced a data security incident,” starts a Monday night advisory by the Silicon-Valley-based financial upstart. It continues:
An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers … The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems.
“Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” it adds.
But other data was obtained by the miscreant, namely:
- Approximately five million customer email addresses;
- Full names of a different group of two million people;
- Name, date of birth, and zip code for 310 people;
- "More extensive account details" for ten people.
"After we contained the intrusion, the unauthorized party demanded an extortion payment," Robinhood disclosed. The biz "promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant."
And that's all the info Robinhood has released for now.
The Register fancies that whoever got in was able to have a good rummage around inside Robinhood. How else to explain the four different types of data leak the post reveals?
Robinhood's schtick is providing commission-free trades in securities, cryptocurrencies, and exchange-traded funds, with an app that brings a video game aesthetic to investing, plus an easy-to-use website. The biz positions itself as demystifying investment and democratising wealth-building – a Robin Hood that lets users into Wall Street's closed club.
- US Treasury wants to treat cryptocurrencies like cash – as in you need to report $10k+ transactions
- USA adds China’s top chipmaker to list of companies American money can’t legally buy a slice of
- Forget GameStop: Keyboard warriors and electronic trading have never mixed well
But the upstart has a poor record on the infosec and resilience fronts. In 2019 it admitted storing some passwords in plaintext, and in 2020 experienced an outage it blamed on a DNS infrastructure swamped by interest.
Robinhood has even been fined for providing inaccurate information to investors – one of whom took his own life after the app's UI led him to believe he was $750,000 in the hole from an options trade.
Berkshire Hathaway CEO Warren Buffett and vice-chairman Charlie Munger both criticized Robinhood over its role in the GameStop mania.
Buffet labelled Robinhood an organisation that taps into people's desire to gamble, rather than facilitating wealth-building. Of the GameStop frenzy, Munger opined that it was "just God awful that something like that would draw investment from civilized men and decent citizens".
Of course 91-year-old Buffet and 97-year-old Munger are the epitome of the Wall Street billionaire elite Robinhood suggests it wants to supplant. ®