Robinhood app and logo on the screen of a smartphone showing data breach due to social engineering on trading platform

Data Breach of Robinhood Trading Platform Blamed on Social Engineering, Similar to 2020 Twitter Breach

Robinhood, the most popular app-based trading platform for non-professional investors, has confirmed that it suffered a data breach last week that potentially compromised millions of names and email addresses. It appears the attackers may have been after more select accounts, however, as the platform says that further contact information was revealed for 310 of its customers.

The data breach has a number of similarities to the Twitter hack of 2020, starting with the use of social engineering to convince a Robinhood employee to provide access to customer service systems.

Trading platform extorted after attacker gains access by phone

A blog post from Robinhood describes the data breach as taking place on November 3. The trading platform claims that the email addresses of about five million people and the full names of a different group of about two million people were exposed to the attacker. A more limited amount of customers, about 310 people, had additional personal information from their registration profiles (such as date of birth and zip code) exposed.

The trading platform said that about 10 customers had “more extensive” information exposed, but did not elaborate. It did lead off the post by saying that Social Security and financial account numbers were not exposed in any of these cases, however.

Gary Gardiner, Head of Security Engineering APAC & Japan for Check Point Software, elaborates on the risks that Robinhood users can expect to face as a result of this data breach: “The information leaked here is sensitive and bad news for the Robinhood community. Malicious hackers can use the information leaked to carry out more attacks against the victims, like targeted phishing emails, as names and dates of birth can often be used to verify a person’s identity. We urge Robinhood users to change their passwords immediately, enable two-factor authentication, and to watch out for any suspicious emails in their inboxes. According to our research, 58% of malicious files in the US were delivered via email this year.”

As happened with the Twitter data breach last year, the attack began with a call to customer service that was escalated (through unspecified means) to access to some of the trading platform’s customer support systems. Robinhood says that the attacker immediately attempted to extort them after gaining access, at which time they retained security firm Mandiant to assist with remediation. The trading platform also said that law enforcement had been involved.

Robinhood’s blog post did not specifically indicate whether the millions of records were successfully exfiltrated by the attacker, or if they simply had access to that many during the data breach window. The trading platform said that the extortion demand came after the breach had been secured, and that it will be notifying any impacted individuals. Robinhood offers multi factor authentication, but it was not on by default prior to the data breach.

Data breach adds to Robinhood’s 2021 woes; social engineering hits another major platform

While most of the seven million people impacted by the Robinhood data breach will not see significant risk from the limited information that was taken, they should expect follow-up attacks that appear to come from the trading platform.

The data breach also caps off a rough year for Robinhood, which began with its central role in the run on GameStop stock in early 2021 that pumped the video game retailer’s value far beyond expectations. The trading platform was accused by some users of taking the side of institutional investors and slowing down or halting trading when hedge funds stood to lose too much to retail investors coordinating to put a “short squeeze” on; a $10 billion lawsuit was brought against Robinhood in September, and internal emails that came out during the discovery process indicate the trading platform could be in some trouble.

In June the company received the largest fine ever issued by the Financial Industry Regulatory Authority, a total of $57 million plus over $12 million in direct reimbursements to customers, due to failure to report customer complaints to the agency and multiple incidents of showing customers the wrong information in the app (such as incorrect negative cash balances). The trading platform fielded a private lawsuit earlier in the year over related account issues, when a young trader took his own life after erroneously believing he had lost $730,000 on a trade and being able to reach anyone at the company to discuss it.

Mandiant did not have an identification for the threat actor behind the Robinhood breach, but did say it was one that they recognized from similar activities in recent months. The firm expects continued action from the perpetrator.

Ransomware has taken up the headlines over the past year as attacks lock up critical infrastructure for days, but social engineering has been the entry point for some high-profile incidents. The biggest of these was the attack on Twitter in July 2020, perpetrated by teenagers looking to take over high-value accounts and run a cryptocurrency scam. Twitter did not release explicit details of how the data breach occurred, but did confirm that a “small number” of employees were socially engineered by phone and gave the attackers access to administrative tools that provided essentially unfettered access to user accounts; even multi factor authentication could be bypassed.

Josh Yavor, CISO of Tessian, notes that social engineering must not be overlooked as a path of entry, particularly when public-facing customer service reps have access to internal administrative tools that can compromise the entire platform: “This is a reminder that people in external-facing roles such as customer support, sales, and recruiting need extra support from security teams as they are required to engage with strangers as part of their everyday job and they also have access to sensitive data about the business and customers.  We can expect that attackers will continue to target people in these roles and invest in more sophisticated social engineering efforts in order to gain a privileged foothold within organizations that they target. Companies should review their processes to ensure that there is adequate validation when people email or call in, especially when sensitive data is handled or higher risk actions are requested of customer success personnel.”

Erich Kron, security awareness advocate at KnowBe4, adds some thoughts on how to train employees to recognize and handle these attempts: “The bad actors behind these attacks are often highly-skilled and very convincing when they get a potential victim on the line. Unfortunately, technology is not good at stopping these attacks, so the best defense against these attempts is education and training. Employees should be trained to spot and report social engineering and phishing attacks using short, focused training modules and organizations should have a policy telling employees how to report these attacks.”

And Alicia Townsend, technology evangelist at OneLogin, believes that even companies that are already training for prevention of social engineering attempts need to step up and refine their efforts: “Cybersecurity education needs to occur more than once a year in the form of self-paced online training. It needs to be spread throughout the year – run drills, send out fake phishing emails, have someone place USB drives out, use these types of tactics to teach employees what they might be up against, what they should be on the watch for and how to handle different scenarios. Most people learn best through hands-on learning. As a second form of defense employees should be limited in what they have access to. Least Privilege Access principles should be applied everywhere, especially when it comes to customer data. This way if an attacker is able to get past the employee and trick them, what they will have access to will be limited.”