Data stolen in the attack that compromised Robinhood systems and stole private information on millions of people is now up for sale.
Robinhood revealed that it fell victim to a cyberattack in which an unknown threat actor tricked a customer support employee into installing remote access software. Even more interesting is that this hack used no malware — it relied solely on social engineering.
These types of intrusions show that employee training is just as necessary as a security solution. It’s hard to catch an intruder when an employee simply opens the doors and hands over the key to the kingdom.
BleepingComputer reached out to the threat actor and verified that the data was accurate and on sale for a “five-figure” sum. The hackers also revealed that they also obtained some more in-details information on a handful of people, and Robinhood confirmed the information.
“As we disclosed on November 8, we experienced a data security incident and a subset of approximately 10 customers had more extensive personal information and account details revealed,” Robinhood told BleepingComputer.
“These more extensive account details included identification images for some of those 10 people. Like other financial services companies, we collect and retain identification images for some customers as part of our regulatory-required Know Your Customer checks.”
This was only possible because the threat actor had complete remote control over the customer support systems, allowing them to steal credentials and even take screenshots, which they also shared.
What distinguishes the Robinhood attack is that the attackers quickly resorted to blackmail after stealing the information and didn’t just dump the data on hacking forums for a small price.
In the initial announcement, Robinhood said the hackers obtained a list of email addresses for approximately 5 million people and full names for a different group of roughly 2 million people. Around 310 people had been more affected, with criminals obtaining additional personal information, including name, date of birth and zip codes.