The recent hack at app-based investment platform Robinhood also impacted thousands of phone numbers, Motherboard has learned.
The news provides more clarity on the nature of the data breach. Originally, Robinhood said that the breach included the email addresses of 5 million customers, the full names of 2 million customers, and other data from a smaller group of users.
Motherboard obtained a copy of the stolen phone numbers from a source who presented themselves as a proxy for the hackers. The file includes around 4,400 phone numbers.
When asked if the numbers belonged to Robinhood customers, the company told Motherboard in a statement that “We’ve determined that several thousand entries in the list contain phone numbers, and the list also contains other text entries that we’re continuing to analyze.”
Do you have a tip about Robinhood? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
“We continue to believe that the list did not contain Social Security numbers, bank account numbers, or debit card numbers and that there has been no financial loss to any customers as a result of the incident. We’ll continue making appropriate disclosures to affected people,” the statement added. Robinhood said it plans to update its blog post about the breach with the new information about the phone numbers.
Robinhood is an app that markets itself as letting more people enter the world of investing without paying fees up front. It entered the spotlight earlier this year during the rush of retail investing in meme stocks such as GameStop. At the time, Robinhood blocked purchases of certain stocks and became the subject of investigations by the SEC and other entities, including the Department of Justice.
Last week, Motherboard reported that the hackers managed to gain access to an internal tool which offered the ability to remove security features from specific Robinhood user accounts. Robinhood said that based on its investigation, the hackers did not make changes to any customer accounts, however.
Phone numbers are particularly valuable to hackers because services often use SMS for multi-factor authentication. If a hacker can take control of a victim’s number they may be able to reroute login verification codes to themselves. Or, armed with a phone number, a hacker can send phishing messages or calls to the target to try and obtain their verification codes. Earlier this month, Motherboard reported on the booming underground trade of bots that streamline the process of social engineering targets via automated phone calls.