Robinhood Markets Inc. announced on Monday an embarrassing security breach that exposed the personal information of millions of its users, which will be of particular concern to the 300 or so customers who suffered the worst privacy compromise.
Most of the 7 million affected accounts had only one piece of personal information exposed: either the user’s name or their email address. But in about 310 cases, more sensitive data such as date of birth and zip code was uncovered, as well as the user’s full name. About 10 of those people had “more extensive account details revealed,” Robinhood said, adding that the company is in the process of “making appropriate disclosures” to those users.
No social security, bank account or debit card numbers were compromised and no customer suffered financial loss as a result of the incident, Robinhood said. Not yet anyway.
The danger is that the exposed information could be used to facilitate further attacks of the sort that revealed the users’ data in the first place.
Attributes like birthdays and physical addresses are difficult to change and are commonly used as verification checks when logging in to various services. The lapse in Robinhood’s data security came via a customer support employee, whose cooperation was used to obtain access to internal support systems.
While Robinhood hasn’t disclosed how long it took to inform affected users of last week’s intrusion, that’s the period when the risk would have been highest. Now that they’re aware of the breach, the best course of action for affected customers is to alter any security checks that rely on their date of birth and to practice good online security hygiene, such as two-factor authentication and skepticism toward emails from unfamiliar senders.
Robinhood said it contained the breach, notified law enforcement and enlisted security firm Mandiant Inc. to investigate the matter. Mandiant Chief Technology Officer Charles Carmakal said Robinhood “conducted a thorough investigation to assess the impact.”
Still, the company’s “safety first” maxim, oft repeated by executives, will ring hollow to the millions of users who are now a little more vulnerable to phishing attacks and the smaller group who’ll have to be extra vigilant because they chose to use the free-trading platform.