Robinhood data breach hits 7 million customers — what to do now

Robinhood app — how it works and everything you need to know
(Image credit: Shutterstock)

The mobile stock-trading service Robinhood has suffered a data breach affecting more than 7 million people — but insists that the breach is not so bad.

"We believe that no Social Security numbers, bank-account numbers, or debit-card numbers were exposed and that there has been no financial loss to any customers as a result of the incident," Robinhood said in a blog posting yesterday (Nov. 8). 

"We understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people."

However, the firm added, "for a more limited number of people — approximately 310 in total — additional personal information, including name, date of birth, and ZIP code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed."

Robinhood said it was "in the process of making appropriate disclosures to affected people." (The Record had a screenshot of one such message sent to a customer whose email address was exposed.) It did not mention whether any user passwords were exposed in any way.

What to do if you have a Robinhood account

If you have a Robinhood account, it would be best to change your account password ASAP, just as a precaution. The company blog post said you can do so by visiting "Help Center > My Account & Login > Account Security."

Make the new password something unique and strong, and one that you've never used before. Use one of the best password managers if you're having trouble keeping track of all your passwords.

Robinhood said that on Nov. 3, someone called customer support and managed to convince a support representative into granting the caller access to internal systems. After the caller got access, he or she "demanded an extortion payment," which Robinhood doesn't seem to be paying.

The 5 million customers whose email addresses were exposed may see an uptick in spam messages, and should be on the lookout for phishing emails, especially those that may seem to come from Robinhood itself. 

"When in doubt, log in to view messages from Robinhood," the company blog post said. "We'll never include a link to access your account in a security alert."

However, the situation may be worse for the approximately 300 people who had their full names, dates of birth and ZIP codes leaked. Full names and dates of birth will give identity thieves a head start, and ZIP codes can help credit-card thieves use stolen numbers — although, as Robinhood noted, none were apparently taken in this case.

As for the 10 or so people who had even more revealed, Robinhood isn't saying exactly what was taken, so we can only assume the worst. It may be that those people did indeed have passwords taken, or personal details beyond names and dates of birth, in which case they might want to consider signing up with one of the best identity-theft-protection services — which Robinhood ought to pay for.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.