Robinhood's account security issues look like they have just gone from "bad" to "worse".
When reports about Robinhood hacks started making their rounds earlier this month, the company said it only affected a "limited number" of accounts. Now, it looks as though that may be far from the truth.
Upon investigation by Bloomberg, it was discovered that a marketplace on the dark web is selling alleged access to over 10,000 email login credentials for Robinhood accounts. The number of Robinhood e-mail accounts available for purchase outnumber other brokerages by a factor of "5 to 1", according to the report.
Eli Dominitz, chief executive officer of Q6 Cyber, an e-crime intelligence firm explained to Bloomberg why he thought Robinhood emails were so much more prominent: “If they feel that Robinhood gives them greater upside than trying to steal money from Bank of America, that’s what they’re going to do.”
In other words, hackers likely think that Robinhood's response is going to be lackluster.
Robinhood offered up the following excuse: “It is not uncommon for cyber-criminals to target customers of financial-services companies by attempting to use information sourced from the dark web.”
Robinhood also said there were "no signs" that its systems had been breached. But, again, this appeared to be the same boilerplate response we saw earlier this month after many accounts were confirmed to have been breached.
While dark web data being sold isn't always accurate, it often is, Dominitz noted. One of the latest offers made on the marketplace for the tranche of 10,000 emails was for just $3.50 per email.
One Robinhood user, Ryan Bordner, hired an identity theft protection service after being hacked in mid-August. They told him that his information was "among those whose email credentials were sold on the dark web."
Recall, in mid-October we pointed out that 2,000 Robinhood accounts had been hacked, with some having funds siphoned off to external accounts.
Days prior to that report, we published a story about Robinhood users who had seen their accounts looted and were at their wits' end with the company's customer service. Many affected claimed they were unable to contact anyone at the company after logging into their accounts and seeing their funds withdrawn. Robinhood claimed it was only “a limited number” of accounts that had been affected.
But full credit to Bloomberg: at the time, they noted that these users weren't just one-offs, but rather part of a larger group of customers who had been compromised.
This now looks like it could be the case.
Some users said they saw no signs of hacking and had two-factor authentication enabled on their phones for extra protection. Soraya Bagheri is one such example. She had 450 shares of Moderna liquidated from her account and saw that $10,000 in withdrawals were pending. She tried to alert Robinhood, but instead got an email back saying the company would investigate and respond within "a few weeks". In the interim, her money was gone.
Bagheri said she contacted the SEC and FINRA alongside of three other users who had a similar problem. Two of the four users said that the SEC has sought more information from them.
One user, Miah Brittany Laino, said that two factor stopped one person from accessing her account on September 13 and then, after following Robinhood's suggestion to change her password, her account was still hacked. The next morning she woke up to a nightmarish barrage of messages: “It said ‘This stock sold. This stock sold. This stock sold.’ It’s like if you wake up at 4
a.m. and your house is on fire.”
She said she received no response from the company and was unable to find a customer service phone number. She got a call from Robinhood on September 25, she said, informing her someone had created a fake ID under her name to re-activate her account, which had already been locked down for security reasons.
Robinhood eventually restored her money and her stock, but she said she will likely leave the brokerage: “I don’t want to sell right now. But I’m not going to put any more money into it. I don’t really trust them.”
Another customer, Robert Riachi, said his account is still "in limbo". He told Bloomberg that "thousands of dollars" had gone missing from his account and that the company assigned him 10 different case numbers, even after submitting his ID to try and straighten out the issue. He had four years of savings in his account and says he will move to Schwab when he gets his money back.
“I feel like my money could be put somewhere else, somewhere that has a human person that I can talk to. It’s kind of ridiculous that an investment app that’s handling people’s livelihoods, people’s money, has the audacity to make people wait several weeks to hear back anything,” he said.