Robinhood on Monday warned users that a hacker talked their way past the stock-trading app’s defenses, stealing millions of user email addresses and more.
The culprit called customer support and, pretending to be an authorized party, duped a Robinhood employee into providing access to the customer support computer system, a hacker technique referred to as “social engineering,” the company said in a blog post.
After stealing information from Robinhood, the hacker tried to extort payment from the company, which opted to alert police and warn users about the breach, according to the post.
“We owe it to our customers to be transparent and act with integrity,” Robinhood chief security officer Caleb Sima said in the post.
“Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”
The breach took place late on November 3, with the hacker snatching about five million email addresses for Robinhood users, along with the names of about two million other members of the investment service, according to the company.
Robinhood said it also appeared that the hacker got hold of names, birth dates and zip codes associated with 310 users, plus additional account details about some of those people.
“The attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” Robinhood said in the post.
Hackers could use the stolen information to try to trick Robinhood members with ruses such as “phishing” emails pretending to be the company.
Robinhood has been credited with introducing a generation of new individual investors to the stock market, but the platform is also known for features that critics say can make it addictive.
Game-like aspects of Robinhood have also raised concerns that users may overlook serious financial ramifications of investing.