What Was Stolen in the Robinhood Data Breach (and What You Should Do Now) [Updated]

What Was Stolen in the Robinhood Data Breach (and What You Should Do Now) [Updated]


Image for article titled What Was Stolen in the Robinhood Data Breach (and What You Should Do Now) [Updated]

Popular stock trading app Robinhood recently experienced a security breach that exposed the personal information of millions of users. While most Robinhood users—and their investments—are apparently safe, a follow-up investigation revealed more information was stolen than originally thought, and users need to take steps to keep their accounts and personal data secure.

What was stolen in the Robinhood security breach?

In an official blog post, the company says the attack took place on Nov. 3, when an “unauthorized third party” used social engineering to gain access to a portion of the app’s customer support system. Robinhood’s security team successfully secured the compromised database, but the lone hacker then demanded an extortion payment. Robinhood reported the attack to the authorities and to the third-party cybersecurity firm Mandiant instead of complying with the hacker’s demands.

According to Robinhood’s internal investigation, the breach compromised the email addresses for at least five million accounts and the full names of an additional two million users. Of the compromised accounts, at least 310 also had their zip codes and date of birth information accessed, and 10 users had “extensive account details revealed,” though Robinhood had not disclosed what additional information was compromised.

Days later, the company published an updated blog post on Nov. 16 alerting users that over 4,400 of phone numbers were also stolen. Phone numbers were not included in Robinhood’s original data breach disclosure, and their presence in the stolen data makes this a more severe hack than originally assumed. Hackers can use phone numbers to send SMS phishing scams and malware-laced files, or to acquire additional user data via social engineering for account hijacking, SIM Swap attacks, and identity theft.

Robinhood says it still appears no Social Security numbers, bank account numbers, or debit card numbers were stolen, and that “there has been no financial loss to any customers as a result of the incident.”

However, it’s always possible other data was accessed by the hackers that Robinhood’s investigation is yet to uncover.

How to keep your accounts and data safe

Robinhood is contacting the subset of users most affected by the breach with steps to secure their account, but for everyone else, the company suggests checking its Account Security support page for ways to increase your account security. Most of the tips are standard cybersecurity measures everyone should use on all accounts the use, like turning on two-factor authentication (2FA) and using a strong, unique login password, but there are helpful resources specific to the Robinhood app, such as ways to keep your Robinhood account safe while traveling abroad, and how to spot and report fraudulent activity.

Since passwords and financial information were unaffected, it is unlikely your bank or other accounts and apps were directly compromised even if someone lifted your email address or full name. Such information is easy to find through other means.

Still, it’s possible hackers could launch phishing scams and email-based malware attacks using that information, so brush up on how to spot online scams and make sure you’re protecting your devices with reliable anti-malware apps.

And now that we know several thousand phone numbers were also stolen, users should be extra vigilant. Update login info and enable 2FA on any accounts tied to you phone numbers. As mentioned before, hackers can use phone numbers to execute a SIM Swap attack. We have a guide on preventing SIM Swaps here, as well as tips for spotting and responding to them.

Here’s hoping this Robinhood leak is finally under control, but we’ll be sure to to update you if any other data is confirmed stolen.

This post was originally published on November 9, 2021 and was updated November 17, 2021 with new information.

[The Verge]



Source

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top