Last week, the online stock trading platform Robinhood was hacked, and over five million user email addresses and two million customer names, as well as a much smaller amount of highly particular customer data, were stolen.
A hostile hacker socially engineered a customer service agent over the phone on November 3 to gain access to customer support systems, the business claimed in a blog post. The hacker was able to gain not just customer names and email addresses, but also complete names, dates of birth, and ZIP codes for 310 people.
Ten clients had “more detailed account data leaked,” according to Robinhood. Although no Social Security numbers, bank account details, or debit card data were disclosed, there was no immediate financial harm to clients, according to Robinhood.
However, because names and dates of birth are frequently used to authenticate a person’s identification, bad hackers can exploit this information to aid subsequent assaults against victims, such as targeted phishing emails.
After the firm protected its networks, the hacker “demanded an extortion payment,” according to the company. Instead, Robinhood alerted law enforcement and security firm Mandiant to look into the hack.
It’s a similar breach to the one that hit Twitter in July 2020. An adolescent hacker utilised social engineering tactics to fool some Twitter workers into believing he was an employee, giving him access to an internal Twitter “admin” tool, which he used to take over high-profile accounts and promote a cryptocurrency fraud. The hacker received a little over $100,000 in bitcoin as a result of the assault. As a result, Twitter has sent security keys to its employees in order to strengthen its defences against future assaults and prevent them from succeeding.
Whatever security flaws allowed a hacker to dupe a Robinhood customer service agent into giving them access to an internal system will almost certainly be the subject of the inquiry.
On Monday, Robinhood issued a warning to customers that a hacker had gotten past the stock-trading app’s safeguards, obtaining millions of user email addresses and other information.
The perpetrator contacted customer service and, posing as an authorised entity, persuaded a Robinhood employee to grant access to the customer support computer system, a hacking tactic known as “social engineering,” according to the company’s blog post.
According to the article, after taking information from Robinhood, the hacker attempted to extort money from the firm, which instead chose to notify law enforcement and tell users about the incident.
“We owe it to our clients to be upfront and behave with integrity,” said Caleb Sima, Robinhood’s chief security officer.
Also Read: 5 Best Smart Outdoor Lights You Can Buy
“Putting the whole Robinhood community on notice of this occurrence now, following a thorough assessment, is the appropriate thing to do.”
According to the firm, the hacker stole roughly five million email addresses for Robinhood customers, as well as the names of about two million additional members of the investing service, late on November 3.
The hacker also appears to have obtained the names, birth dates, and zip codes of 310 users, as well as extra account information for some of them, according to Robinhood.
“The attack has been limited, and we think no Social Security numbers, bank account numbers, or debit card data were disclosed, and that no customers have suffered any loss as a consequence of the incident,” Robinhood claimed in the article.
Hackers might exploit the stolen data to try to dupe Robinhood users with ruses like “phishing” emails posing as the firm.
Although Robinhood is credited with introducing a generation of new individual investors to the stock market, opponents argue the platform’s features may make it addicting.
The game-like characteristics of Robinhood have also sparked fears that customers could ignore significant financial consequences of investing.