Hacker Hits Robinhood to Steal Email Addresses From 5 Million Users

Stock and cryptocurrency trading app Robinhood is reporting a data breach that exposed email addresses for 5 million users and full names for another 2 million.

The incident occurred on Nov. 3, when a hacker called a Robinhood customer support employee and used social engineering tricks to dupe them into giving up access to certain customer support systems.

“Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” the company wrote in a blog post on Monday.

Instead, Robinhood has only uncovered evidence that the hacker “obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people.

“We also believe that for a more limited number of people —approximately 310 in total— additional personal information, including name, date of birth, and ZIP code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed,” Robinhood said, without elaborating.

The hacker also issued an extortion demand to Robinhood; it's unclear if the company paid up. But Robinhood has since notified law enforcement and hired security firm Mandiant to investigate the incident.

In addition, the company plans on notifying all affected users about the breach. The email from the Robinhood is apparently warning users to be on guard against phishing attacks that’ll try to impersonate the company in an effort to hijack access to a user’s account.

“If you are a customer looking for information on how to keep your account secure, please visit Help Center > My Account & Login > Account Security,” the company added. “When in doubt, log in to view messages from Robinhood —we’ll never include a link to access your account in a security alert.”