Robinhood notified customers via email of a customer data breach that occurred on November 3, 2021. According to Robinhood’s investigation, the breach exposed:
- Email addresses for 5 million users
- Real names for 2 million users
- Name, date of birth, and zip code for approximately 310 users
- Extensive personal data for approximately 10 users
The threat actor in this incident socially engineered a customer support employee by phone and obtained access to certain customer support systems. Robinhood stated that due to this method of access, it does not believe at this time that credit cards, bank account numbers, or social security numbers were exposed.
In today’s threat environment, representatives of organizations must verify the identity of all callers, including phone calls appearing to be from someone else in the same organization, on the same team, or a trusted supplier or vendor. This serves to reduce insider threats, as well as reduce social engineering attacks from external criminals. It is also important to understand that even if a particular role or account does not have critical access, any level of access could provide means to perform privilege escalation, lateral movement, and also reconnaissance opportunities.