Robinhood warned users on Monday that a hacker had talked their way past the stock-trading app’s safeguards, stealing millions of user email addresses and other information. According to the company in a blog post, the perpetrator called customer service and, posing as an authorized party, duped a Robinhood employee into providing access to the customer support computer system, a hacker technique known as “social engineering”.
After stealing information from Robinhood, the hacker attempted to extort money from the company, which chose to notify authorities and warn users about the breach. “We owe it to our customers to be transparent and act with integrity,” said Robinhood chief security officer Caleb Sima in a blog post. “Putting the entire Robinhood community on notice of this incident now, following a thorough review, is the right thing to do.”
As per the company, the breach occurred late on November 3, with the hacker stealing about five million email addresses for Robinhood users, as well as the names of about two million other members of the investment service.
According to Robinhood, the hacker also appears to have obtained the names, birth dates, and zip codes of 310 users, as well as additional account information for some of those people. He said in one of the posts, “the attack has been contained, and we believe no Social Security numbers, bank account numbers, or debit card numbers were exposed, and that no customers have suffered financial loss as a result of the incident”.
Hackers could use the stolen data to try to dupe Robinhood users with ruses like “phishing” emails posing as the company. Although Robinhood is credited with introducing a generation of new individual investors to the stock market, critics say the platform’s features can make it addictive. The game-like aspects of Robinhood have also sparked fears that users will ignore the serious financial consequences of investing.