“Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” the Silicon Valley financial company noted.
The malicious third-party is believed to have socially engineered a customer service representative to gain access to internal support systems, using it to obtain the email addresses of five million users, full names for a different group of about two million people, and additional information such as names, dates of birth, and zip codes for a limited set of 310 more users.
Of the latter, at least 10 customers have had their “extensive account details” revealed. However, the company did not provide further specifics about what those “extensive” details were.
But once the breach was reined in, Robinhood said the infiltrator demanded an extortion payment in exchange for the stolen data, prompting the firm to involve law enforcement authorities in the matter. It’s not immediately clear if the ransom demands were met, and if so, how much money was involved.
Interestingly, the list of email addresses also includes accounts that have been previously deactivated. According to Robinhood’s terms, this is done so “because regulations require us to preserve certain books and records.”
“We take the security of all collected data extremely seriously, and we don’t intend to use this data for anything beyond the fulfillment of our regulatory requirements,” the company points out in a support page. In the wake of the breach, Robinhood is recommending users to visit Help Center > My Account & Login > Account Security to secure their accounts with two-factor authentication.