Robinhood data breach exposes 5M email addresses, personal data

Online stock trading platform Robinhood on Monday said a third party gained unauthorized access to its systems and made away with sensitive user data including the email addresses of five million users.

Along with the five million user email addresses, the full names of some two million people were exposed in an incident that took place on Nov. 3, the company said in a blog post.

Additionally, about 310 people saw more sensitive information disclosed, including names, dates of birth, and zip codes. More extensive account details were revealed for a subset of that group.

Robinhood believes that no Social Security numbers, bank account numbers or debit card numbers were revealed to the intruder, adding that the breach did not result in financial loss for its customers.

"As a Safety First company, we owe it to our customers to be transparent and act with integrity," said Robinhood Chief Security Officer Caleb Sima. "Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do."

According to The Wall Street Journal, the unauthorized party gained access to Robinhood's customer support systems by impersonating an authorized party to an employee by phone. The company informed law enforcement after a ransom was demanded.

Robinhood is in the process of informing customers impacted by the intrusion and continues to investigate the incident.

Follow AppleInsider on Google News

5 Comments

StrangeDays

said about 2 years ago

If there are no consistent, firm financial penalties for these companies, they have little incentive to harden their data stores. Every quarter there's another one. Besides corporate penalties, the highly-paid c-suite executives should also be financially penalized. If they don't feel the pain, they can't instill the importance to their teams.

vztrv1

said about 2 years ago

Begging your pardon but you seem to want to punish the victim of a crime here. If someone breaks into my home is it my fault because I didn’t upgrade my security every month?
The sad truth is just like a house where someone determined enough will break in there is no such thing as invulnerable security. Computer users are in a no win scenario of fighting a purely defensive war against an enemy operating with complete impunity. That’s an impossible situation. I think it’s time our government which by charter exists to protect and defend should engage by offering assistance to fortify the vulnerable and aggressively prosecute the perpetrators.

StrangeDays said:

If there are no consistent, firm financial penalties for these companies, they have little incentive to harden their data stores. Every quarter there's another one. Besides corporate penalties, the highly-paid c-suite executives should also be financially penalized. If they don't feel the pain, they can't instill the importance to their teams.

beowulfschmidt

said about 2 years ago

vztrv1 said:

Begging your pardon but you seem to want to punish the victim of a crime here. If someone breaks into my home is it my fault because I didn’t upgrade my security every month?
The sad truth is just like a house where someone determined enough will break in there is no such thing as invulnerable security. Computer users are in a no win scenario of fighting a purely defensive war against an enemy operating with complete impunity. That’s an impossible situation. I think it’s time our government which by charter exists to protect and defend should engage by offering assistance to fortify the vulnerable and aggressively prosecute the perpetrators.

Slightly different scenario here. When someone breaks into your house and steals your stuff, then you are the only victim. But when a company fails to protect its client's information in the face of breach after breach after breach, then yes, they hold some level of responsibility. It's certainly not as great as the criminal's, of course, I totally agree on that one, but these companies have both legal and moral obligation to protect the sensitive data of their clients.

StrangeDays

said about 2 years ago

vztrv1 said:

Begging your pardon but you seem to want to punish the victim of a crime here. If someone breaks into my home is it my fault because I didn’t upgrade my security every month?

The sad truth is just like a house where someone determined enough will break in there is no such thing as invulnerable security. Computer users are in a no win scenario of fighting a purely defensive war against an enemy operating with complete impunity. That’s an impossible situation. I think it’s time our government which by charter exists to protect and defend should engage by offering assistance to fortify the vulnerable and aggressively prosecute the perpetrators.

StrangeDays said:

If there are no consistent, firm financial penalties for these companies, they have little incentive to harden their data stores. Every quarter there's another one. Besides corporate penalties, the highly-paid c-suite executives should also be financially penalized. If they don't feel the pain, they can't instill the importance to their teams.

Yeah no. Here in enterprise land (Capital One, Petco, federal govt, etc), securing our customer data is part of the job. In fact it’s the security officer’s entire charge, if the org has one. They’re entrusted with personally identifiable information (PII), bank accounts, credit card numbers, etc. They’re tasked with protecting these assets. Often they don’t and very little happens.

And are you honestly suggesting the federal government should be tasked with implementing security for private companies? Hmm. I feel like the federal departments have enough on their plates doing the same; most of it is contracted out anyway.

vztrv1

said about 2 years ago

I grant your point - companies housing sensitive data do have a duty to employ a reasonable level of security. The question I raise is what is reasonable. There is no such thing as 100% foolproof security - anyone who claims to be foolproof will follow the Titanic to the grave. My concern with your original comment is that you seemed to blame the company with no accounting for their security measures. Hackers find unknown holes every day - it’s nearly impossible for anyone to keep up with them - especially small businesses and non profits. Now Robinhood is no small fry but without knowledge of what precautions they did take makes any judgement premature.

As for the government - I entirely agree that I don’t want them managing anyones internal security - I don’t trust them and applaud Apple for refusing to give them back doors. What I do want is for them to engage this problem more seriously in police and even militarily terms. So long as these perpetrators can act with no fear of consequences the crime spree will continue.

StrangeDays said:

vztrv1 said:

Begging your pardon but you seem to want to punish the victim of a crime here. If someone breaks into my home is it my fault because I didn’t upgrade my security every month?

The sad truth is just like a house where someone determined enough will break in there is no such thing as invulnerable security. Computer users are in a no win scenario of fighting a purely defensive war against an enemy operating with complete impunity. That’s an impossible situation. I think it’s time our government which by charter exists to protect and defend should engage by offering assistance to fortify the vulnerable and aggressively prosecute the perpetrators.

StrangeDays said:

If there are no consistent, firm financial penalties for these companies, they have little incentive to harden their data stores. Every quarter there's another one. Besides corporate penalties, the highly-paid c-suite executives should also be financially penalized. If they don't feel the pain, they can't instill the importance to their teams.

Yeah no. Here in enterprise land (Capital One, Petco, federal govt, etc), securing our customer data is part of the job. In fact it’s the security officer’s entire charge, if the org has one. They’re entrusted with personally identifiable information (PII), bank accounts, credit card numbers, etc. They’re tasked with protecting these assets. Often they don’t and very little happens.

And are you honestly suggesting the federal government should be tasked with implementing security for private companies? Hmm. I feel like the federal departments have enough on their plates doing the same; most of it is contracted out anyway.