Robinhood recently informed the public that a social engineering attack exposed the data of millions of customers. The attacker phoned a Robinhood support representative and tricked him into installing remote access software on his computer. After the intrusion was contained, the attacker demanded an extortion payment in exchange for not selling the stolen data. Robinhood is working with law enforcement and updating the public as the investigation unfolds.
Robinhood is an online stock trading and investing application that has experienced rapid growth in the past year. The company opened three new offices and tripled the size of the customer service staff in 2020. The company added 24/7 phone support in October and had 17.7 million active users each month as of July 2021. Robinhood has also been dealing with accusations of aggressive tactics and reckless conduct, and the controversy around ‘meme stocks.’ The company also paid a $65 million civil penalty for making misleading statements, and faced litigation stemming from a data breach that took place in 2020. The plaintiff alleges:
“While the company has narrowly focused on break-neck growth, it has neglected to build out its security infrastructure to adequately protect its customers’ sensitive information.”
Rather than freezing the accounts and alerting its customers of the breach right away as required under California law, Robinhood said and did nothing. Only when news outlets reported on the breach did Robinhood acknowledge it had occurred.”
It is estimated that roughly 2,000 Robinhood customer accounts were impacted by the 2020 breach, including many that were using two-factor authentication.
Impact on customers
Robinhood announced details of the current breach on November 8, 2021. In the original blog post, the company stated that the following data was stolen:
- Email addresses of five million people
- Full names for a different group of two million people
- Name, date of birth, and zip code of about 310 people
- Extensive account details of approximately 10 people
On November 16 Robinhood disclosed that several thousand phone numbers have also been exposed. This was after the media had already reported that the phone numbers had been breached. A subset of the stolen Robinhood data is now being sold for a minimum of $10,000.
The screenshot shows the hacker’s post that details the offer of sale. The hacker goes by the name ‘pompompurin’ and is the same threat actor who hacked the FBI email systems on November 13. You can see a larger version of the image in the Bleeping Computer post.
One item of note in the screenshot is that the 310 accounts with personal details are not included in this sale. That leaves just the emails, names, and phone numbers associated with the compromised accounts. You may be wondering why a hacker would pay five figures for basic information.
The answer to this question takes us back to social engineering. The more you know about potential victims, the more easily you can manipulate them. For example, we can assume the owners of these email addresses are:
- Real people with verified bank accounts and identities
- Interested in online trading
- Comfortable sending money through mobile applications
- Inexperienced, first-time investors
- Keeping about $4500 in their Robinhood accounts
A hacking gang can make a convincing spear phishing campaign with this information by impersonating the Robinhood brand and creating messages based on the above assumptions.
The stolen phone numbers enable another social engineering attack known as SIM swapping. In this attack the criminal will try to trick (or bribe) a customer service representative of the mobile carrier into transferring the phone number to a new SIM card. The attacker can then plug the SIM into his own phone and use this to reset passwords, bypass multifactor authentication, and make financial transactions. A similar scam is ‘number port-out fraud,’ in which the attacker convinces the cellular provider to switch the number to a different provider and a device that the attacker controls. Both attacks result in the attacker taking control of the victim’s phone and associated accounts. And keep in mind that at no point in these attacks has the actual victim fallen for any scam.
Negative effects of the data breach
It’s clear from the screenshot and the Robinhood announcement that there may be more data lost than what’s been disclosed. This breach may or may not be lucrative for the criminal, but it will certainly be costly for Robinhood.
There are multiple studies that reveal a link between a data breach and a negative customer perception and loss of revenue. As of this writing, Robinhood stock continues to decline as customers and stockholders react to the breach. The company continues to spend money on investigation, remediation, and other post-breach costs. It will be many years before Robinhood and its customers know the full cost and damage of the incident.