Popular stock trading app Robinhood recently experienced a security breach that exposed the personal information of millions of users. While most Robinhood users — and their investments — are safe, there are still important steps you should take to keep your accounts and personal data secure.
What was stolen in the Robinhood security breach?
In an official blog post, the company says the attack took place on November 3, when an “unauthorised third party” used social engineering to gain access to a portion of the app’s customer support system. Robinhood’s security team successfully secured the compromised database, but the lone hacker then demanded an extortion payment. Robinhood reported the attack to the authorities and to the third-party cybersecurity firm Mandiant instead of complying with the hacker’s demands.
According to Robinhood’s internal investigation, the breach compromised the email addresses for at least five million accounts and the full names of an additional two million users. Of the compromised accounts, at least 310 also had their zip codes and date of birth information accessed, and 10 users had “extensive account details revealed.”
Robinhood did not disclose what additional information was compromised, but the company assures “no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” even for the most-affected accounts.
How to keep your accounts and data safe
Robinhood is contacting the subset of users most affected by the breach with steps to secure their account, but for everyone else, the company suggests checking its Account Security support page for ways to increase your account security. Most of the tips are standard cybersecurity measures everyone should use on all accounts the use, like turning on two-factor authentication (2FA) and using a strong, unique login password, but there are helpful resources specific to the Robinhood app, such as ways to keep your Robinhood account safe while travelling abroad, and how to spot and report fraudulent activity.
Since passwords and financial information were unaffected, it is unlikely your bank or other accounts and apps were compromised even if someone lifted your email address or full name. Such information is easy to find through other means. Still, it’s possible hackers could launch phishing scams and email-based malware attacks using that information, so brush up on how to spot online scams and make sure you’re protecting your devices with reliable anti-malware apps.