In brief

  • The data breach resulted in the hacker obtaining millions of customer emails.
  • The hacker attempted to blackmail the company, but Robinhood contacted law enforcement.

Robinhood announced on Tuesday that it suffered a "data security incident" that saw a hacker make off with millions of customer email addresses and, in the case of a handful of clients, additional personal information as well.

In a blog post, the popular stock and crypto-buying app described how a hacker tricked one of its customer support employees into giving out information that let criminals make off with a large trove of data. Robinhood described the incident, which the company discovered on November 3, as follows:

"The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people."

According to Robinhood, the hacker did not obtain sensitive personal information such as Social Security numbers or banking information for most of the affected customers. But the company added that, in the case of around 310 customers, the hacker made off with additional data such as their birth date and home address—while 10 customers had "more extensive account details revealed."

Robinhood added that the hacker contacted the company to demand payment—an attempt at blackmail in other words—but that the company contacted law enforcement.

The company did not say what other steps it is taking to address the incident, but advised customers looking to secure their accounts to consult the "Account Security" menu in their app.

The blog post did not state whether the hack affected specific segments of its customer base, including its growing crypto business.

The Robinhood breach underscores the ongoing danger posed by hackers and, in particular, by so-called "social engineering," which describes impersonating corporate executives in order to steal money or data. Ironically, the recent hack comes just weeks after Robinhood became the first crypto company to offer 24/7 customer service—a measure that provided the hacker with the opportunity to steal data.

Robinhood is not the only crypto company to be victimized by hackers. Last month, Coinbase revealed that criminals had figured out a way to overcome its SMS two-factor authentication and robbed more than 6,000 customers.