Hackers stole the personal information of 7 million Robinhood users and later demanded a ransom in a Nov. 3 voice phishing or “vishing” attack. The attack involved a thief impersonating an authorized party over the phone with a customer-support employee — a technique known in a security context as social engineering. This gave the hacker access to email addresses, full names and more extensive personal information on customers who trade on the Robinhood app.

Robinhood announced the hack on Monday, saying the incident took place last week and that the breach has since been contained.

No customers lost money and no Social Security numbers, bank account or debit card numbers were exposed, Robinhood said in a blog post dated Nov. 8. However, the hackers got 5 million email addresses, the full names of another 2 million people and more personal information on 310 people including name, date of birth, and zip code.

“After we contained the intrusion, the unauthorized party demanded an extortion payment,” Robinhood said in the blog. “We promptly informed law enforcement and are continuing to investigate the incident.”

With $95 billion in assets under custody and 22.4 million net funded accounts, Robinhood is an attractive target for malicious attacks, Wall Street Journal reported.

The company reported in its securities filings that its cryptocurrency arm was found to be in violation of state cybersecurity requirements after being investigated by the New York Department of Financial Services. Robinhood settled with the state regulator for an expected $30 million and must hire an outside monitor, according to the filings.

Customer names and email addresses may not appear to be particularly sensitive information but they can be useful to hackers down the road, according to Allison Nixon, chief research officer at Unit 221B LLC, a cybersecurity investigations company.

A social-engineering attack on a company-support representative is often an early step in a broader effort to mine both stolen and public data to target and impersonate victims in future attacks, Nixon told the Wall Street Journal. “These companies are basically being used as a phone book,” she said.

Customers are used to hacks and to giving some of their most private data — Social Security numbers and bank account details — out online. But being nonchalant about the Robinhood data breach probably means they’re underestimating how seemingly-non-sensitive details can make them vulnerable, Bloomberg reported.

Now that a hacker knows 7 million people who actually are Robinhood customers, they can “impersonate Robinhood and get users to log into their Robinhood accounts. They know these people are going to be susceptible because they’re Robinhood customers,” said Mark McCreary, co-chair of privacy and data security practice at the law firm Fox Rothschild.

This isn’t the first time Robinhood customers have been hacked. In 2020, close to 2,000 account owners were compromised when funds were lost. 

“Robinhood should view it as a big deal,” said Rebecca Wright, professor of computer science at Barnard College and chair of the Cybersecurity Research Center at the Columbia Data Science Institute. “Companies should have strong security practices. For someone to get that kind of access, it is a big deal.”

Robinhood customers should be highly suspicious of any Robinhood emails going forward, said Jake Moore of internet-security company ESET.

Listen to GHOGH with Jamarlin Martin | Episode 74: Jamarlin Martin Jamarlin returns for a new season of the GHOGH podcast to discuss Bitcoin, bubbles, and Biden. He talks about the risk factors for Bitcoin as an investment asset including origin risk, speculative market structure, regulatory, and environment. Are broader financial markets in a massive speculative bubble?