Robinhood Platform Suffers Data Breach, Info on 7M Users Leaked
The popular Robinhood trading platform announced it had become the victim of a data breach last week. The bad actor who managed to get into Robinhood's infrastructure took off with information belonging to roughly a third of the platform's userbase, or data records on about 7 million people.
The trading platform announced that a threat actor managed to gain access to company-owned servers after they got on the phone with a Robinhood customer support employee and used information obtained from the support operator to gain unauthorized access.
Thankfully, according to Robinhood, no data related to credit card or social security numbers, as well as bank accounts, has been leaked. What leaked were the emails of roughly 5 million Robinhood customers.
The email and full name combos of another 2 million users were also leaked. The last portion of the leak which contained more detailed information on Robinhood users is much more limited in size.
Just over 300 people had their names, emails, ZIP codes and dates of birth leaked. Another 10 people also had what Robinhood calls "more extensive account information" exposed in the leak too.
The bad actor who was behind the attack attempted to extort payment from the trading platform, threatening to leak the stolen data. Robinhood did not provide any commentary on whether a payment was made or not, but stated that the appropriate law enforcement agencies had been contacted and a third-party security consultant firm was brought on board.
In the case of Robinhood, a single incident with a single employee led to the breach, and the exchange took place over a phone call, there were no phishing links or other more conventional social engineering involved. Social engineering attacks of this kind, where the factor of human error is pivotal, serve to highlight the importance of staff training.