IBL News | New York
Online trading platform Robinhood (NASDAQ: HOOD), often criticized for its shortcomings in customer support, reported a new problem: a data breach.
The Menlo Park, California-based company confirmed yesterday that it was hacked on November 3rd when a client representative mishap allowed a hacker to steal the personal information of about five million customer email addresses and two million names. For some customers, even more personal data was exposed, including names, birth dates, and ZIP codes of about 310 people and more extensive information belonging to a group of about 10.
The breach, one-third of customers overall, didn’t result in any financial loss for clients, said the start-up.
According to Robinhood, “the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.”
The intruder demanded an extortion payment. Robinhood informed law enforcement and continues to investigate the incident with the help of security firm Mandiant.
The hack took place after the cybercriminal tricked a customer representative staffer by phone and obtained access to certain client support systems.
A similar hack occurred at Twitter in July 2020. A teenage hacker used social engineering techniques to trick some of Twitter’s employees into thinking the hacker was an employee, allowing the hacker access to an internal Twitter “admin” tool, which he used to hijack high-profile accounts.
Shares of Robinhood fell 3.5% to $35.68 yesterday in New York.
In a separate episode last year, almost 2,000 Robinhood accounts were compromised in a hacking spree. Some complained there was no one available to call.
The start-up that popularized free trading tripled the size of its customer-service staff in 2020, unveiling round-the-clock phone support.
Robinhood advised customers to keep their accounts secure by visiting Help Center > My Account & Login > Account Security. “We’ll never include a link to access your account in a security alert.”