On 8th November, Robinhood announced that 5 days earlier it had been subject to a data breach in which the email addresses of 5 million of its customers were compromised along with the full names of another 2 million users of the fintech app. The dark web hackers accused the platform of underplaying the hack, claiming that the cyberattack had also exposed the identities of some of its members. While Robinhood also confirmed that a small sample of 310 users had their names, dates of birth and postal codes stolen, it did not believe that the most sensitive information that it gathers – US social security numbers and financial data – were laid bare. In a statement to BBC News, Robinhood said that the breach affected

“…a limited amount of personal information for a portion of our customers.”




Robinhood should not be confused with its namesake English folklore hero, Maid Marian’s beau. The financial technology platform, founded in California in 2015, is an online stocks and shares trading app that also provides the opportunity for investors to trade in cryptocurrencies. Robinhood is only available to residents in the United States and in July the company went public at $38 a share giving it a valuation of $32 billion. While the platform is commission-free, it faces stiff competition from other discount brokerages, new and established fintech companies, banks, cryptocurrency exchanges, asset management firms, and technology platforms.


Back to the breach. Robinhood reported that the attack on 3 November was the result of a social engineering ploy by hackers. The cybercriminal made a phone call to the platform’s customer support service and through a convincing scam persuaded an employee to provide:

“…access to certain customer support systems.”

In this way, login details were divulged, giving the hacker access to the sensitive information of millions of Robinhood customers. The company also confirmed that after the intrusion, the hacker demanded an extortion payment in the form of ransomware.


Wisely, Robinhood did not succumb to the ransomware attack and refused to pay. The platform notified the relevant law enforcement agencies and hired the security firm Mandiant to investigate the incident. Robinhood’s security officer, Caleb Sima, said in a published statement:

“We owe it to our customers to be transparent and act with integrity. Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”


Was the Robinhood attack avoidable? Definitely. Had the employee who took the call from the hackers been adequately trained in cybersecurity awareness, he would have instantly spotted the con and hung up. And this is where Zhero can help. As a professional business IT company with more than 20 years of experience in the field, we specialize in cybersecurity awareness and training, risk mitigation and data protection. Remember that prevention is always better than cure. Contact Zhero today for all your cybersecurity training needs.