In a “data security incident” on the evening of Nov. 3, Robinhood said that an “unauthorized third party” had obtained a list of email addresses for approximately 5 million of its customers, as well as the full names for a separate group of around 2 million users. A much smaller number of people had further personal information exposed, it added; around 310 customers had information including their name, date of birth, and zip code compromised, while roughly 10 users had “more extensive account details revealed.”

The company said that based on its investigation into the matter, it believes that “no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.”

According to Robinhood, the data breach occurred after the perpetrators “socially engineered a customer support employee by phone and obtained access to certain customer support systems.” It said the unauthorized party in question subsequently “demanded an extortion payment” from the company, which “promptly informed law enforcement.” Robinhood added that it is continuing to investigate the incident with the help of outside cybersecurity firm Mandiant.

“As a safety-first company, we owe it to our customers to be transparent and act with integrity,” Caleb Sima, Robinhood’s chief security officer, said in a statement. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”

Robinhood’s stock sank around 3% in after-hours trading in the wake of the news of the data breach. The company’s shares recently dipped below their $38 IPO price after its third-quarter earnings report disclosed weakness in its crypto-trading business.