Robinhood says a hacker who tried to extort the company got access to data for 7 million customers

Trading platform Robinhood said Monday that personal information for more than 7 million customers was accessed during a data breach on November 3rd. The company said in a news release that it does not appear that Social Security numbers, bank account numbers, or debit card numbers were exposed, and no customers have had “financial loss” due to the incident.

An unauthorized third party “socially engineered a customer support employee by phone,” Robinhood said, and was able to access its customer support systems. The attacker was able to get a list of email addresses for approximately 5 million people and full names for a separate group of 2 million people. For a smaller group of about 310 people, additional personal information, including names, dates of birth, and zip codes, was exposed, and for about 10 customers, “more extensive account details” were revealed.

The company did not provide further information about what those “extensive” details were, but a spokesperson said in response to a query from The Verge that even for those 10 customers, “we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed.” The spokesperson declined to say whether any of the customers may have been specifically targeted in the hack, but the company said it was in the process of notifying those who had been affected.

“Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do,” Robinhood chief security officer Caleb Sima said in a statement.

After it was able to contain the attack, Robinhood said the unauthorized third party sought an “extortion payment,” and the company notified law enforcement but did not say whether it had made any payments. Robinhood enlisted the help of outside security firm Mandiant as it investigates the incident. Charles Carmakal, CTO of Mandiant, said in a statement emailed to The Verge that it had “recently observed this threat actor in a limited number of security incidents, and we expect they will continue to target and extort other organizations over the next several months.” He did not elaborate further.

Customers seeking information about whether their accounts were affected should visit the help center on the company’s website.

Robinhood has had a rocky 2021 so far; in January, it halted trading as Redditors helped push up the prices of so-called meme stocks like GameStop and AMC Theaters. The incidents led to a congressional hearing where CEO Vlad Tenev testified along with Reddit CEO Steve Huffman and trader Keith Gill aka RoaringKitty.

The company began trading on the Nasdaq exchange in July, with the worst market debut among 51 US firms that raised as much money or more than Robinhood, according to data from Bloomberg. In its S-1 filing, Robinhood acknowledged a recent SEC Enforcement Division inquiry and that the United States Attorney’s Office for the Northern District of California had executed a search warrant for Tenev’s phone.