Robinhood Accidentally Left Some of Its Users' Passwords in Plaintext

Robinhood Markets Inc. is a privately-owned financial services company that is best known for its commission-free stock trading app. It recently completed its latest round of financing and is now believed to be worth more than $7.6 billion. You'd think that Robinhood would be perfectly aware of what should and what shouldn't be done when it comes to storing passwords, especially given the fact that its main service revolves around the exchange of large quantities of money. For the most part, it's a fair assumption, but as Robinhood's developers learned to their own cost, mistakes can be made, and when that happens, the potential damage could be quite devastating.

How Robinhood usually stores users’ passwords

We've discussed the matter on these pages, and we've already mentioned that if an online service stores your password correctly, your login credentials should not be visible to anyone, including the provider's employees. Developers who design their applications and websites according to the industry's best practices put people's passwords through a cryptographical function called hashing before storing them in a database. Hashing converts your password into a random-looking string of characters (called a hash value) that bears no visual resemblance to your password, and because the function is (theoretically) irreversible, the hackers can't use the hash value to guess what your password is.

Hashing has its pitfalls as well. We recently talked about how outdated hashing algorithms like MD5 can put your passwords at risk. We've also discussed how the application of cryptographic salts is an integral part of the hashing process because it ensures that two identical passwords won't produce the same hash values.

Robinhood has done its homework. A help page titled "How You're Protected" says that users passwords are hashed with bcrypt. This is good news. Bcrypt is widely acknowledged as one of the strongest hashing algorithms currently available, and it has salting functionality integrated into it.

Based on the information we have, we can say that the system is probably well designed. Recently, however, something went wrong.

Robinhood passwords were left in plaintext due to a technical error

Earlier this week, some Robinhood users started receiving notifications telling them that their passwords hadn't been handled properly. The emails were first reported by ZDNet, and they stated that some people's passwords "may have been" stored in a readable format on Robinhood's backend servers. As soon as they discovered the flaw, the app's developers set about fixing it, and by the time the notifications went out, the vulnerability had already been addressed. Robinhood's team said that they have no evidence of anyone outside the company taking a look at the passwords, but despite this, they still said that affected users might want to change their passwords "out of an abundance of caution". ZDNet asked Robinhood about the number of impacted accounts, but the app's spokespeople decided not to reveal it.

This is not the first time this has happened

It must be said that people working for online services much bigger than Robinhood have made similar mistakes. Last year, for example, Twitter revealed that for a brief while, it stored the passwords of all its 330 million users in plain form. Weeks before it, GitHub admitted that some of its staff could have accessed people's login credentials in plaintext as well. In other words, these things happen every now and again. Robinhood isn't the first application to internally expose people's passwords, and it probably won't be the last.

This doesn't make the problem any less serious, though. Indeed, in all these cases, the passwords were only accessible to employees, which does limit the danger somewhat. Nevertheless, developers should do everything they can to ensure that these mistakes are avoided in the future.