Robinhood Says It Was Hacked and Extorted But Nobody Lost Any Money

The online trading company said a hacker obtained email addresses of 5 million users, and full names of 2 million users.
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Robinhoood was hacked last week by someone who socially engineered a customer service representative to gain access to the email addresses of more than 5 million customers, the full names of 2 million other customers, and other data from a much smaller group of customers, the company said in a blog post published Monday. The hacker then allegedly attempted to extort the company. 


"The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems," Robinhood wrote in the blog post. "At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people."

"We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed," it added. "We are in the process of making appropriate disclosures to affected people."

Robinhood wrote that "the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.”

Erin Gallagher, a social media and disinformation researcher, told Motherboard she previously asked Robinhood to delete her account. Gallagher said in a tweet that Robinhood confirmed it deactivated her account in January. But she received the notice saying her email address was exposed in this latest breach in November, raising questions on what data Robinhood has kept on previous users. Gallagher forwarded a copy of the breach notification to Motherboard.

Robinhood told Motherboard that it is required by SEC rules to keep account information for six years after an account is closed.

Robinhood has been repeatedly in the news this year, most famously for halting trading during the GameStop frenzy in January, which further contributed to mass volatility in the market and ultimately was the subject of Congressional hearings, as well as various federal, state, and local investigations. Robinhood also recently went public. The company has helped drive the meme stock bonanza because of the way it has gamified trading, and because it allows stock trades with no commission. After halting trading for GameStop, many Robinhood investors turned on it. This security breach is likely to increase the already intense scrutiny on the company. 

Joseph Cox contributed reporting.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.