Robinhood Says Five Million Email Addresses Exposed in Customer-Support Breach

Trading platform Robinhood disclosed in a blog post and SEC filing that a social-engineering attack against a customer-support employee on November 3 resulted in unauthorized access to a portion of its customer data.

According to the company, the attacker obtained a list of email addresses for approximately five million customers and full names for an additional two million. A smaller subset of 310 users had additional personal information exposed including names, dates of birth, and ZIP codes; ten of those customers had "more extensive account details" disclosed.

The attacker then demanded a ransom, which Robinhood declined to pay, opting instead to disclose the incident publicly and notify affected customers directly.

"No Social Security numbers, bank account numbers, or debit card numbers were exposed, and there has been no financial loss to any customers as a result of the incident," Robinhood wrote. The company said it has retained Mandiant to assist in the investigation.

Security researchers note that even without financial credentials, large lists of email addresses tied to a financial trading platform are valuable to phishing operators, who can craft targeted lures impersonating Robinhood's communications.

This is the latest in a series of high-profile social-engineering attacks against customer-support staff — a vector that proved central to the July 2020 Twitter breach and that researchers say is broadly underdefended across the financial services sector.