Robinhood is a commission-free stock trading and investing company. The company also allows users to trade cryptocurrencies for free as well. On the plus side, there is no minimum amount required to open an account and both the site and app have streamlined interfaces, making it easier for customers to use them. There are, however, no options to invest in some of the safer vehicles out there such as mutual funds, retirement accounts, and bonds.
A recent data breach saw 7 million users of this investment company fall victim to malicious actors who are selling user credentials on a popular hacking forum or marketplace. Following an employee’s report of being hacked last week, Robinhood disclosed a data breach. In this investigation, it was discovered that the threat actor used the employee account to access the information of approximately 7 million users via the customer support systems.
In this breach, malicious actors stole some significant information, including the email addresses for 5 million customers and full names for another 2 million customers. In addition to this, 300 users had their name, zip code, and birthdate stolen with 10 individuals having further information stolen still — however, these 310 people did not have their information listed for sale, according to pompompurin, the alleged attacker who perpetrated these events. Though some of this information may not seem like it alone is valuable, such as email addresses, it is actually very valuable to a malicious hacker online. Stolen email addresses which are tied to financial services such as those provided by Robinhood are very popular on these sorts of hacker platforms as they can be used in specifically-targeted phishing attacks and can be tailored specifically to these individuals better than if the email addresses were stolen from other sources. This can allow these actors to gain access to more highly sensitive information. The threat actor, pompompurin said that he was selling the information for the 7 million users for at least $10K each.
The way which the malicious actor was able to gain access to these accounts and their sensitive information is something known as social engineering. This is where a malicious actor manipulates their chosen target into giving them the information they want. In this case, the hacker was able to gain access to the Robinhood customer support systems after tricking a help desk employee into installing a remote access software on their computer. Social engineering is like puppeteering the victim into taking part in the attack themselves. In the case of the Robinhood attack, it was just the trick the hacker needed in order to gain access to and sell the personal information of 7 million individuals.
Image from Slate.com.