Skip to content

Robinhood Breach Once Again Reminds Us Why MFA Alone Is Not Enough

2020 was undoubtedly an eventful year for the trading platform Robinhood, and it appears that it is not going to end any differently. On November 3rd the company announced that it had experienced a data breach that impacted 7 million users, with severity and types of data compromised varying across multiple groups of customers.

The most significant part of the breach leaked email addresses for roughly 5 million of the platform’s customers, with full names of 2 million. The same statement from Robinhood indicated that 310 customers may have had full names, dates of birth, and zip codes leaked, with an additional 10 customers having had “more extensive account details” compromised.

Robinhood's statement said that the breach has since been contained, law enforcement has been informed, and the party responsible for the breach demanded payment in an extortion attempt. Robinhood's chief security officer, Caleb Sima, said in the company's statement "As a Safety First company, we owe it to our customers to be transparent and act with integrity."

According to several outlets like Vice, the hackers behind the breach got access to an internal tool that presented them the option of tampering with user accounts, including removing specific users’ multi-factor authentication protections. The news only further highlights the potential risks that hackers can pose to organizations beyond simply compromising user data. Robinhood told Motherboard that it does not appear that the hackers made any changes to customers’ accounts based on their internal investigation.

The screenshots of the tool, which were provided to Motherboard by an individual who presented themselves as a proxy for the hackers, also show buttons for logging users out of their account, adding a trusted device, and blocking certain sessions from accessing the Robinhood account entirely, indicating that this particular breach could have been much worse. The screenshots also show that hackers could view users’ sensitive information, such as account balances and trades.

pasted image 0
Companies often have internal tools for employees to make changes to customers’ accounts, troubleshoot, or resolve customer service issues but without the right security in place, hackers can in turn gain access to those tools and sometimes even leverage them in their favor.

The hack started with a phone call to Robinhood’s customer support, according to the statement that was released. The hacker relied on social engineering to convince an employee to provide "access to certain customer support systems," Robinhood said, circumventing all of the security and access control systems. Social engineering occurs when hackers use psychological manipulation to trick users into making security mistakes or giving away sensitive information. Social engineering depended on human error rather than security vulnerabilities, and given that 24% of data breaches are caused by human error, you can understand why this method is increasingly popular for hackers.

This is yet another breach that reinforces the importance of being able to validate a user’s identity without user input. When security systems are set up to make the user responsible for authenticating themselves, it leaves significant room for breaches and human error, as credentials for SSO/MFA can be stolen, devices can be stolen or lost, all of which leaves data vulnerable. Had Robinhood implemented continuous authentication and passive biometrics into their internal tools security protocols, they would have been much more difficult to hack into and could have prevented the breach from occurring at all.

If you are concerned that your data may have been compromised in the Robinhood breach you can visit Have I Been Pwned to query if your information has been leaked.

More from the Blog

August 21, 2020

Former Uber Security Chief charged for covering up 2016 hack, CISOs may now be thrusted into spotlight after an inevitable breach

Federal prosecutors have charged Uber’s former security chief Joseph Sullivan with obstruction of justice for...
February 10, 2021

Remote hackers attempt to poison Florida city after breaching water treatment facility

A hacker gained access to the water treatment system for the city of Oldsmar, Florida, through TeamViewer, a remote...
December 21, 2021

Preventing CISO Burnout

Burnout is almost inevitable. Each of us will experience burnout in some capacity throughout our careers, but what...

Sign Up for our Blog

We will never share your email address with third parties.