What Was Stolen From the Robinhood Data Breach (and What You Should Do Now) [updated]

The popular stock trading app Robinhood recently faced a security breach that exposed the personal information of millions of users. While the majority of Robinhood users – and their investments – are apparently safe, subsequent investigation revealed that more information was stolen than was originally anticipated, and users need to take steps to keep their accounts and personal data safe.

What was stolen in the Robinhood security breach?

In an official blog post, the company says the attack took place on November 3, when an “unauthorized third party” used social engineering to gain access to a portion of the application’s customer support system. The Robinhood security team successfully defended the compromised database, but after that, the lone hacker demanded extortion. Robinhood reported the attack to authorities and third-party cybersecurity firm Mandiant instead of following the hacker’s demands.

According to an internal investigation by Robinhood, the hack compromised the email addresses of at least five million accounts and the full names of another two million users. Of the hacked accounts, at least 310 also gained access to their zip codes and date of birth information, and 10 users had “account details disclosed,” although Robinhood did not disclose what additional information was compromised.

A few days later, the company posted an updated blog post on November 16 informing users that more than 4,400 phone numbers had been stolen. The phone numbers were not included in the initial Robinhood hack disclosure, and their presence in the stolen data makes it a more serious hack than originally thought. Hackers can use phone numbers to send phishing SMS messages and malware files, or to obtain additional user data through social engineering to hack accounts, SIM spoofing attacks, and steal identity.

Robinhood states that no social security number, bank account number, or debit card number has been stolen, and that “no customer suffered financial loss as a result of the incident.”

However, it is always possible that hackers have gained access to other data that the Robinhood investigation has not yet revealed.

How to keep your accounts and data safe

Robinhood is reaching out to the group of users hardest hit by the hack with instructions on how to secure their account, but everyone else is encouraged to check their Account Security support page for ways to improve the security of your account. Most of the tips are standard cybersecurity measures that everyone should use for all accounts they use, such as enabling two-factor authentication (2FA) and using a strong unique password to log in, but there are useful resources specific to the Robinhood app, such as ways to secure your account. Robinhood when traveling abroad and how to detect and report fraudulent activities.

Since passwords and financial information have not been harmed, it is unlikely that your bank or other accounts and applications were directly compromised, even if someone stole your email address or full name. This information is easy to find in other ways.

However, there is a chance that hackers could launch phishing and email-based malware attacks using this information, so learn how to detect online fraud and make sure you protect your devices with reliable anti-malware apps. malware .

And now that we know that several thousand phone numbers have been stolen, users should be extra vigilant. Update your login details and enable 2FA for any accounts associated with your phone numbers. As mentioned earlier, hackers can use phone numbers for a SIM swap attack. We have a guide on how to prevent SIM swapping , as well as tips for detecting and responding to them .

We hope this Robinhood leak is finally brought under control, but we’ll be sure to let you know if any other data theft is confirmed.

This post was originally published on November 9, 2021 and has been updated on November 17, 2021 with new information.

[ The Verge ]


Leave a Reply

Your email address will not be published. Required fields are marked *