×

We've got news for you.

Register on BusinessLIVE at no cost to receive newsletters, read exclusive articles & more.
Register now
The logo of Robinhood Markets on Wall Street after the company’s IPO, in New York on July 29 2021. Picture: REUTERS/ANDREW KELLY
The logo of Robinhood Markets on Wall Street after the company’s IPO, in New York on July 29 2021. Picture: REUTERS/ANDREW KELLY

Robinhood Markets announced on Monday an embarrassing security breach that exposed the personal information of millions of its users, which will be of particular concern to the 300 or so customers who suffered the worst privacy compromise.

Most of the 7-million affected accounts had only one piece of personal information exposed: either the user’s name or their email address. But in about 310 cases, more sensitive data such as date of birth and area code was uncovered, as well as the user’s full name.

About 10 of those people had “more extensive account details revealed”, Robinhood said, adding that the company is “making appropriate disclosures” to those users.

No social security, bank account or debit card numbers were compromised and no customer suffered financial loss as a result of the incident, Robinhood said.  

The danger is that the exposed information could be used to facilitate further attacks of the sort that revealed the users’ data in the first place. Attributes such as birthdays and physical addresses are difficult to change and are commonly used as verification checks when logging in to various services.

The lapse in Robinhood’s data security came via a customer support employee, whose co-operation was used to obtain access to internal support systems.

While Robinhood has not disclosed how long it took to inform affected users of last week’s intrusion, that is the period when the risk would have been highest.

Now that they are aware of the breach, the best course of action for affected customers is to alter any security checks that rely on their date of birth and to practice good online security hygiene, such as two-factor authentication and scepticism towards emails from unfamiliar senders.

Robinhood said it contained the breach, notified law enforcement and enlisted security firm Mandiant to investigate the matter. Mandiant chief technology officer Charles Carmakal said Robinhood “conducted a thorough investigation to assess the impact”. 

Still, the company’s “safety first” maxim, oft repeated by executives, will ring hollow to the millions of users who are now a little more vulnerable to phishing attacks and the smaller group who will have to be extra vigilant because they chose to use the free-trading platform.

Bloomberg News. More stories like this are available on bloomberg.com

subscribe

Would you like to comment on this article?
Register (it's quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.

Commenting is subject to our house rules.