As if Robinhood users needed any more reasons to worry about security.
Just days after unveiling a 'data security incident', Vice reports that the hackers behind that breach used internal tools taken from Robinhood that presented them with the opportunity to tamper with user accounts, from removing specific users multi-factor authentication protections to making other changes affecting account security.
Not only can the internal tools stolen by the hackers allow them to automatically log users out of their accounts and access sensitive data, hackers can also add "trusted" devices and block certain others from accessing the accounts.
The screenshots show how the hackers could view sensitive information on users such as their balances and trades.
The evidence was handed to Vice by a source who claimed to be a "proxy" for the hackers.
Robinhood shares tumbled to a new all-time low...
The evidence of the internal tools provided by Vice's source aren't super helpful since they're mostly redacted.
Tech companies typically have internal tools to make changes to users' accounts. Occasionally, hackers have in the past gained access to these tools for malicious purposes. For example, hackers have gotten access to similar tools at Roblox and targeted similar tools at Twitter.
In an email to Motherboard, a Robinhood spokesperson said that “Certain authorized Robinhood employees have the ability to update accounts as necessary to provide customer support or service accounts, as is standard at most financial institutions and platforms."
Tech companies often have internal tools for employees to make changes to customers’ accounts, sometimes for troubleshooting or to resolve customer service issues. But hackers can in turn gain access to and sometimes leverage those tools. Last year, Motherboard reported how a scammer bribed a worker at popular gaming platform Roblox to access its back end customer support panel. Hackers also recently targeted a similar tool used by Twitter.
Here's how Vice explained the screenshots.
The screenshots show that as well as offering the ability to make changes to users’ accounts, the tool provides notes on specific accounts generated by Robinhood’s fraud team; the devices used to log into Robinhood; the user’s IP addresses; whether the devices are trusted or not; their balances such as net cash as well as their buying power; and their phone number and whether that number is verified or not.
Robinhood had not previously specified that some users' phone numbers may have been exposed.
Another of the screenshots shows an internal message written by a Robinhood employee discussing changes to account security practices. Another shows customer support messages between a specific user and Robinhood.
It's just the latest reminder of how much power some mid-level tech employees can have. It's a reminder of when a mid-level employee at Twitter targeted the official account belonging to Sen. Tom Cotton.