Robinhood, the online trading platform that’s already seen no shortage of controversy, announced Monday that a fraudster “socially engineered a customer support employee by phone and obtained access to certain customer support systems,” getting access to lists of names and email addresses for millions of customers.
The company said the scammer accessed a list of about five million people’s email addresses and a separate list of about two million people’s full names. About 310 people saw their name, date of birth, and zip code exposed, while about 10 Robinhood customers had “more extensive account details revealed.” Robinhood is reaching out to affected people.
The hacker demanded a ransom payment, and Robinhood contacted law enforcement and is working with the cybersecurity Mandiant to continue the investigation, according to the company’s statement.
Robinhood said people who want to change their security settings can access its website’s security menu. The National Cybersecurity Alliance, an industry group, advised Robinhood customers to change their passwords and set up multifactor authentication as a precaution.
Robinhood warned customers it wouldn’t send links to access their accounts in emails, perhaps concerned about potential phishing attacks using the leaked email addresses.
It’s far from the first issue to face Robinhood, which was one of the companies that pioneered commission-free online stock trading, now an industry norm. The company last year agreed to pay $65 million to settle Securities and Exchange Commission allegations it misled customers about how it makes money, which involved payments from financial companies where it routed customer orders. The SEC said that contributed to worse share prices for its customers.
Robinhood customers have also had difficulty trading stocks and cryptocurrencies, often during times of volatility, including this year’s meme stock boom.