Hacker attempting to blackmail the Robinhood company gained access to data on 7 million clients.
According to the company, no Social Security or bank card numbers were retrieved.
Robinhood, a trading platform, announced Monday that over 7 million clients' personal information was compromised in a data breach on November 3rd. According to the company's news release, no Social Security numbers, bank account numbers, or debit card numbers appear to have been revealed, and no customers have suffered "financial loss" as a result of the incident.
According to Robinhood, an unauthorized third party "socially engineered" a customer care representative over the phone and gained access to the company's customer support systems. The attacker obtained a list of around 5 million people's email addresses and the full names of another 2 million people. Additional personal information, including names, dates of birth, and zip codes, was exposed for a smaller group of approximately 310 persons, and "detailed account details" were released for approximately ten users.
The firm did not specify what those "extensive" details were, but in response to a query from The Verge, a representative stated that even for those ten users, "we think that no Social Security numbers, bank account numbers, or debit card numbers were disclosed." The representative declined to comment on whether any of the consumers were directly targeted in the incident, but the company stated that it was in the process of alerting affected customers.
"Following a thorough examination, we believe that notifying the whole Robinhood community about this issue immediately is the appropriate course of action," Robinhood chief security officer Caleb Sima said in a statement.
Following the attack's containment, Robinhood stated that an unauthorized third party requested a "extortion payment," and the business alerted law enforcement but did not specify if it made any payments. Robinhood has enlisted the assistance of outside security firm Mandiant in order to conduct an investigation into the event. Mandiant's CTO, Charles Carmakal, stated in an email to The Verge that the company has "recently detected this threat actor in a small number of security events, and we anticipate they will continue to target and extort additional firms over the coming several months." He made no additional comment.
Customers seeking information on whether their accounts have been impacted can visit the company's help center.