Robinhood Markets Inc. disclosed Monday a serious security breach which exposed millions of users’ personal data. This will concern the approximately 300 customers that were the most affected by the privacy compromise.
Most of the 7 million affected accounts had only one piece of personal information exposed: either the user’s name or their email address. But in about 310 cases, more sensitive data such as date of birth and zip code was uncovered, as well as the user’s full name. About 10 of those people had “more extensive account details revealed,” Robinhood said, adding that the company is in the process of “making appropriate disclosures” to those users.
Robinhood claimed that the breach did not compromise social security or bank account numbers. No customer was also affected by it. It’s not yet.
The danger is that the exposed information could be used to facilitate further attacks of the sort that revealed the users’ data in the first place.
Physical addresses and birthdays are hard to alter and can be used for verification purposes when signing in to services. The lapse in Robinhood’s data security came via a customer support employee, whose cooperation was used to obtain access to internal support systems.
While Robinhood hasn’t disclosed how long it took to inform affected users of last week’s intrusion, that’s the period when the risk would have been highest. Now that they’re aware of the breach, the best course of action for affected customers is to alter any security checks that rely on their date of birth and to practice good online security hygiene, such as two-factor authentication and skepticism toward emails from unfamiliar senders.
Robinhood claimed it had detected the breach and informed law enforcement. Mandiant Inc. was enlisted to investigate. Mandiant Chief Technology Officer Charles Carmakal said Robinhood “conducted a thorough investigation to assess the impact.”
Still, the company’s “safety first” maxim, oft repeated by executives, will ring hollow to the millions of users who are now a little more vulnerable to phishing attacks and the smaller group who’ll have to be extra vigilant because they chose to use the free-trading platform.