Robinhood Data Breach: Hackers are Selling Stolen Data of Millions on Deep Web Forum

Updated: 14 November 2021
Updated: 14 November 2021

Fact-checked by

The hackers who claim to have breached US trading platform Robinhood today revealed that they are ready to sell the stolen data of millions of customers worldwide.

The hackers are accusing Robinhood of lying and for intentionally omitting that ID card data was exposed.

A Robinhood spokesperson confirmed to Privacy Affairs that some identification images were indeed exposed but added that this happened in less than 10 cases.

Highlights:

  • Robinhood revealed on Monday that it suffered a data breach in early November.
  • Hackers stole data from over 7 million customers.
  • Robinhood claims only limited data was stolen.
  • Hackers are already selling and trading the stolen data on deep web forums.
  • The hackers claim that Robinhood lied and ID cards were also stolen and downloaded.
  • A Robinhood spokesperson confirmed to Privacy Affairs that ID cards were exposed but in less than 10 cases

On Monday, Robinhood announced in a blog post that on the evening of November 3, it experienced a severe security breach. An unauthorized third party managed to gain access to the trading platform’s customer support systems.

The blog post explains that the unauthorized party managed to obtain a list of email addresses of approximately 5 million people and the full names of a different group of approximately 2 million more individuals.

In the blog post, Robinhood commented the following:

“At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people.”

Furthermore, in the case of approximately 310 individuals, additional personal information and details were exposed, including names, dates of births, and zip codes.

Robinhood explained that the hackers attempted to extort the company, but law enforcement was instead notified and that an investigation is currently ongoing.

Hackers claim ID cards were also downloaded

Today, the alleged hackers have responded to Robinhood’s blog post on a popular hacker forum and accused the company of lying and downplaying the severity of the breach.

The alleged hackers claim that ID cards were also downloaded from SendSafely, a file transfer system used by Robinhood during customers’ KYC verification process.

Robinhood Data Breach

The forum poster in question is a senior member and prolific seller with a high reputation.

The hackers claim they are ready to sell the stolen data to interested parties and are not accepting any “low-ball offers.”

They claim that the data could be “highly profitable in the right hands”.

Allegedly the data on the 310 Robinhood customers that includes “additional personal information” is not for sale at the present moment.

Privacy Affairs made Robinhood aware of the sale announcement and the claim that ID cards were also exposed.

A Robinhood spokesperson explained to Privacy Affairs that some ID cards were exposed, affecting less than 10 individuals.

A Robinhood spokesperson told us the following via email: “As we disclosed on November 8, we experienced a data security incident and a subset of approximately 10 customers had more extensive personal information and account details revealed. These more extensive account details included identification images for some of those 10 people. Like other financial services companies, we collect and retain identification images for some customers as part of our regulatory-required Know Your Customer checks.”

Initially, Robinhood did not disclose the information. Even ID card scans were affected and then only vaguely stated that “more extensive account details” were revealed for 10 customers.

The above also indirectly confirms the authenticity of the mentioned deep web forum sale. The respective forum sale was the only source for the claim that ID cards were also exposed. So now Robinhood admitting to the ID card breach confirms the authenticity of the forum sale thread indirectly.

Written by: Miklos Zoltan

Connect with the author:

Founder & CEO Privacy Affairs

Miklos Zoltan is the founder and CEO of Privacy Affairs. Miklos has long-time experience in cybersecurity and data privacy having worked with international teams for more than 10 years in projects involving penetration testing, network security and cryptography.

Miklos founded Privacy Affairs in 2018 to provide cybersecurity and data privacy education to regular audiences by translating tech-heavy and "geeky" topics into easy-to-understand guides and tutorials.

Leave a Reply

Your email address will not be published.