In a blog post, Robinhood explained that an "unauthorized third party" engineered the leak through its customer support systems. Users' bank account information, Social Security numbers and other financial data does not appear to have been affected.
There were no monetary losses.
However, the unauthorized party did access about 5 million people's emails and another 2 million people's full names. Some 310 customers' names, birthdays and zip codes were also exposed.
At last count, Robinhood had about 18 million users. If roughly 7 million accounts were compromised, that's over a third of customers affected. Going forward, cybersecurity expert Brian Krebs tweeted Monday, "it's safe to expect an uptick in phishing schemes targeting Robinhood users."
Robinhood has already begun notifying customers of the incident; on Monday afternoon, Twitter lit up with screenshots of emails it was sending to customers. The blog post said Robinhood is investigating the breach in collaboration with law enforcement and a private security team, adding that chief security officer Caleb Sima thought "putting the entire Robinhood community on notice of this incident now is the right thing to do.”
It's been a record-breaking year for data breaches and identity theft. The nonprofit Identity Theft Resource Center said last month that nearly 1,300 incidents had been publicly reported through the end of September 2021, outpacing the 1,108 that were confirmed in all of 2020.
This isn't even the first data breach for Robinhood, which went public this past summer. In October 2020, hackers gained access to almost 2,000 accounts via users' email addresses. It was later sued over the incident.
On Monday, Robinhood recommended customers visit its Help Center, navigate to My Account & Login and check Account Security for more details on how to protect their personal data. Robinhood's webpage on security best practices suggests people enable two-factor authentication, use a strong password stored in a password manager and use device monitoring to check for fraudulent activity.