The culprit called customer support and, pretending to be an
authorized party, duped a Robinhood employee into providing access to the
customer support computer system, a hacker technique referred to as
"social engineering," the company said in a blog post.
After stealing information from Robinhood, the hacker tried
to extort payment from the company, which opted to alert police and warn users
about the breach, according to the post.
"We owe it to our customers to be transparent and act
with integrity,” Robinhood chief security officer Caleb Sima said in the post.
"Following a diligent review, putting the entire
Robinhood community on notice of this incident now is the right thing to
do."
The breach took place late on November 3, with the hacker
snatching about five million email addresses for Robinhood users, along with
the names of about two million other members of the investment service,
according to the company.
Robinhood said it also appeared that the hacker got hold of
names, birth dates and zip codes associated with 310 users, plus additional
account details about some of those people.
"The attack has been contained and we believe that no
Social Security numbers, bank account numbers, or debit card numbers were
exposed and that there has been no financial loss to any customers as a result
of the incident," Robinhood said in the post.
Hackers could use the stolen information to try to trick
Robinhood members with ruses such as "phishing" emails pretending to
be the company.
Robinhood has been credited with introducing a generation of
new individual investors to the stock market, but the platform is also known
for features that critics say can make it addictive.
Game-like aspects of Robinhood have also raised concerns
that users may overlook serious financial ramifications of investing.