Robinhood Markets Inc. announced on Monday an embarrassing security breach that exposed the personal information of millions of its users, which will be of particular concern to the 300 or so customers who suffered the worst privacy compromise.
Most of the 7 million affected accounts had only one piece of personal information exposed: either the user’s name or their email address. But in about 310 cases, more sensitive data such as date of birth and zip code was uncovered, as well as the user’s full name. About 10 of those people had “more extensive account details revealed,” Robinhood said, adding that the company is in the process of “making appropriate disclosures” to those users.
No social security, bank account or debit card numbers were compromised and no customer suffered financial loss as a result of the incident, Robinhood said. Not yet anyway.
The danger is that the exposed information could be used to facilitate further attacks of the sort that revealed the users’ data in the first place.
Attributes like birthdays and physical addresses are difficult to change and are commonly used as verification checks when logging in to various services. The lapse in Robinhood’s data security came via a customer support employee, whose cooperation was used to obtain access to internal support systems.
While Robinhood hasn’t disclosed how long it took to inform affected users of last week’s intrusion, that’s the period when the risk would have been highest. Now that they’re aware of the breach, the best course of action for affected customers is to alter any security checks that rely on their date of birth and to practice good online security hygiene, such as two-factor authentication and skepticism toward emails from unfamiliar senders.
Robinhood said it contained the breach, notified law enforcement and enlisted security firm Mandiant Inc. to investigate the matter. Mandiant Chief Technology Officer Charles Carmakal said Robinhood “conducted a thorough investigation to assess the impact.”
Still, the company’s “safety first” maxim, oft repeated by executives, will ring hollow to the millions of users who are now a little more vulnerable to phishing attacks and the smaller group who’ll have to be extra vigilant because they chose to use the free-trading platform.
More finance coverage from Fortune:
- Offsetting Bitcoin’s carbon footprint would require planting 300 million new trees
- Will monthly child tax credit payments continue in 2022? Their future rests on Biden’s Build Back Better bill
- Surging inflation, higher heating costs: Why your bill could double this winter
- Home prices to drop by late 2022, says the Mortgage Bankers Association
- Venus Williams on why she invested in HumanCo
Subscribe to Fortune Daily to get essential business stories straight to your inbox each morning.
