Online broker Robinhood has admitted the leak of the personal data of users. The incident took place on November 3, the company said in a blog post.
Based on the investigation, Robinhood believes that social security numbers and bank card details were not disclosed and none of the users suffered financial losses.
The Blog post writes:
“Late in the evening of November 3, we experienced a data security incident. An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.”
According to the Robinhood statement, “The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems.”
Robinhood says that the attackers obtained a list of email addresses of about five million people and the full names of about two million users.
“At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people and full names for a different group of approximately two million people.”
310 accounts with their additional personal information are compromised, including name, date of birth, and mailing address, with a subset of approximately 10 customers having more extensive account details revealed.
After obtaining users’ data, the attackers demanded a ransom. Robinhood contacted law enforcement and cybersecurity firms to investigate the incident.
“After we contained the intrusion, the unauthorized party demanded an extortion payment. We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.”