Hacking seems to be all the rage as of late. Last month both the second-largest TV operator in the US, Sinclair Broadcasting, and the National Rifle Association (NRA) became victims of ransomware attacks. These cyber-assaults were recently followed up by a cyber ambush after nine high-profile organizations across the world were subjected to infiltrations by hackers. Now, according to The Verge, the popular stock app Robinhood can be added to the ever-growing list after the app confirmed that over 7 million of its users’ accounts had been compromised.
On November 8th Robinhood put out an announcement on its website confirming that on November 3rd they experienced, in their words, “a data security incident” and that “a limited amount of personal information for a portion of our customers” had been collected by the hackers. Robinhood maintained that the data that the cybercriminals were able to obtain did not include any personally identifiable information like social security numbers or banking account details.
However, in direct contrast to what Robinhood put out in the statement to their users, Vice was able to obtain information that suggests that hacker was able to acquire a lot more sensitive information than Robinhood was letting on. According to Vice the hackers were able to successfully access an internal tool that allowed them to strip user accounts of certain important security features. For instance, Vice found evidence that the hackers were able to remove multi-factor authentication, meaning that, essentially all they needed to do in order to break into a user’s account was to crack their password.
An anonymous source that claimed to be somewhat of a liaison for the unidentified hackers provided redacted screenshots of the tool that illustrated just what the hackers were likely able to see. The screenshots correlated with the informant’s claim that the hackers used this tool. Vice reached out to Robinhood for a comment to which they replied that their investigation did not reveal that any such tool had been utilized and suggested that the hackers bribed one of their employees who were authorized to use the tool to provide them with the redacted screenshots. However, if an employee was bribed and did provide the screenshots, then couldn’t it be possible that the hackers were able to use said employee to gain access to the tool as well?
As it turns out Robinhood did end up later admitting that while the vast majority of the 7 million compromised accounts did not incur any serious lapses in security and the personal information on those accounts remain safe, they did disclose that “We…believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed,” and that approximately 10 accounts did suffer more serious breaches at the hands of the hackers. “As we disclosed on November 8, about 10 customers had more extensive account details and information exposed,” said a spokesperson on behalf of Robinhood. The company also went on to admit that the screenshots Vice had obtained did in fact relate to those compromised accounts.
Following their disclosures, Robinhood said that it has taken steps to contact and rectify the immediate victims of the hacks. Still, all Robinhood users should remain vigilant and take steps to secure their accounts (like changing their passwords and verifying that multi-factor authentication is working) because reports have also suggested that the hackers are still advertising the stolen Robinhood information within the underground hacking community.