Online stock trading platform Robinhood has confirmed it was hacked last week with more than five million customer email addresses and two million customer names taken, as well as a much smaller set of more specific customer data.
The company said in a blog post that a malicious hacker had socially engineered a customer service representative over the phone November 3 to get access to customer support systems. That allowed the hacker to obtain customer names and email addresses, but also the additional full names, dates of birth and ZIP codes of 310 customers.
Robinhood said that 10 customers had “more extensive account details revealed.” Robinhood did not say what information specifically, though no Social Security numbers, bank account numbers or debit card numbers were exposed and caused no immediate financial loss to customers.
But it’s precisely that kind of information that malicious hackers can use to facilitate further attacks against victims, like targeted phishing emails, since names and dates of birth can often be used to verify a person’s identity.
The company said once it secured its systems the hacker then “demanded an extortion payment.” Robinhood instead notified law enforcement and security firm Mandiant to investigate the breach.
It’s a similar breach to how Twitter was hacked in July 2020. A then-teenage hacker used social engineering techniques to trick some of Twitter’s employees into thinking the hacker was an employee, allowing the hacker access to an internal Twitter “admin” tool, which he used to hijack high-profile accounts and spread a cryptocurrency scam. The attack netted the hacker just over $100,000 in cryptocurrency. In its aftermath, Twitter rolled out security keys to its staff to toughen its defenses against attacks that prevent these kinds of attacks from working in the future.
Whatever lacking security controls that allowed a hacker to trick a Robinhood customer service representative into granting them access to an internal system is a likely focus for its investigation.