Robinhood data breach impacts millions: What to know

Robinhood, which has already found itself at the center of some controversy in 2021, announced today that it has suffered a security breach. The breach dates back to November 3rd when it says that an "unauthorized third party obtained access to a limited amount of personal information for a portion of our customers." The good news is that Robinhood doesn't think more delicate data, such as social security numbers and credit/debit card numbers have been compromised.

Robinhood data breach - What was leaked?

In a post to its blog today, Robinhood says that the unauthorized party "socially engineered a customer support employee by phone and obtained access to certain customer support systems." The data affected by this breach includes email addresses for around five million people and the full names for a separate group of people that numbers around two million.

A far smaller number of people – around 310 – suffered a more extensive data exposure, with their name, date of birth, and zip code exposed in the breach. Ten unlucky victims had even more data associated with their account leaked, though Robinhood doesn't say exactly what the nature of that data was.

Again, Robinhood says that no social security numbers, bank account numbers, or debit card numbers were exposed in the breach. Still, we're left wondering if those ten people potentially had things like their portfolios or transaction histories leaked. In any case, Robinhood says that it is currently making disclosures to those who were affected by the breach.

Robinhood explains that it is continuing its investigation with law enforcement and security company called Mandiant. The company also notes that the intruder has demanded an "extortion payment," which suggests that the person who made off with this data has also threatened to post it online.

What to do to keep your data safe

As with all security breaches like this, it's best to assume the worst even though Robinhood's investigation hasn't turned up any evidence that financial data or passwords were breached. If you're a Robinhood user, it isn't a bad idea to change your password. Make sure that whatever password you choose is unique, meaning that it should be one you don't already use for other logins.

It's also a good idea to turn on two-factor authentication if you haven't already. With two-factor authentication, knowing your email and password isn't enough for someone to gain access to your account, as they'll also need to provide a one-time code. Robinhood supports 2FA via SMS or an authenticator app, and it's highly recommended that you use the latter as SMS authentication is vulnerable to certain types of attacks. Some of the authenticator apps Robinhood supports include Authy, Duo Mobile, Google Authenticator, and Microsoft Authenticator.

Just as well, you should keep an eye on your email to see if you receive anything from Robinhood, as the company is reaching out to those who were impacted. While we don't know if Robinhood is emailing everyone impacted regardless of severity, it's worth keeping an eye out in any case. We'll let you know when Robinhood shares more about this breach, so stay tuned.