Robinhood has revealed that a recent security breach compromised more user information than the financial services company originally reported. Robinhood confirmed that hackers obtained a list with around 4,400 phone numbers. The company also added that the list includes other text entries from customers, and the company is still investigating the incident.
Robinhood first reported the data breach on Nov. 8. According to Robinhood, the attackers used social engineering tricks to convince a customer support employee into letting the hackers access their internal systems.
The company says email address data belonging to 5 million users was exposed in the hack, as well as the full names of about 2 million users. Around 300 users also had further details revealed, like their zip codes and dates of birth, while 10 users had “more extensive account details revealed.”
However, phone numbers weren’t mentioned in the company’s first report about the breach.
Social Security and Bank Account Numbers
Robinhood said no customers have experienced any financial losses due to the breach. Also, it believes hackers didn’t obtain information like Social Security numbers, bank account numbers, and debit card numbers, but Robinhood is still analyzing “other text entries” in the list. The company also posted this information in the update to its original blog post regarding the incident and said that it would “continue making appropriate disclosures to affected people.”
After Robinhood identified the data breach, the hackers attempted to extort a payment from the company.
“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” Robinhood Chief Security Officer Caleb Sima said in the original report. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”
Robinhood Data Breach Significance
Losing the phone numbers risks exposing affected Robinhood users to SIM swapping or targeted phishing attacks from the hackers, or anyone the hackers sold the numbers to as a result. A SIM swapping attack occurs when a hacker tries to trick a cellular provider into handing over access to your mobile phone number. If the cellular provider falls for the deception, the provider will transfer your phone number to a new SIM card, which the hackers can then plug into their device and steal your personal information
Getting SIM-swapped can be particularly harmful because mobile phone numbers are frequently used to receive one-time passcodes to log into or to reset the password of an online account. Robinhood’s app and platform offers two-factor authentication via SMS messages.