Robinhood, a part of the online brokerage industry with a $7.6 billion valuation, is facing scrutiny for admitting to storing some users’ passwords in plain text. An email was sent to all users to let them know of the security lapse, assuring them that the issue had been resolved and that no accounts were accessed by unauthorized parties. They also verified that the passwords were now being stored using Bcrypt hashes. “On Monday night, we discovered that some user credentials were stored in a readable format within our internal systems. We wanted to let you know that your Robinhood password may have been included,” read a portion of the email. What Robinhood did not provide though were technical details of why and how the security lapse occurred. The problem was discovered on the same day Robinhood reported a $323 million Series E funding.
Since the passwords are now being hashed, it is likely that they are safe for the time being. Users should still change their passwords using an autogenerated password tool as a precautionary measure.