Robinhood Pwned…. Data Swiped…. And The Internet Reacts

Robinhood reveals that they had a data breach on their blog yesterday: Robinhood Announces Data Security Incident. Bloomberg carried the story here: Robinhood Security Breach Exposes Data on Millions of Users:

The intruder obtained email addresses of about 5 million people as well as full names for a separate group of about 2 million, Robinhood said Monday in a statement. For some customers, even more personal data was exposed, including names, birth dates and ZIP codes of about 310 people, and more extensive information belonging to a group of about 10.

This is very bad. And I have a round-up of comments regarding this hack:

Doug Britton, CEO, Haystack Solutions:

   “Threats will always be lockstep with the evolution of banking. As we enter a new digital era where it is dramatically more difficult for the average employee to recognize threats. This breach centers around a customer service rep not a system vulnerability per se. The best defense in any case is a highly skilled cyber team. The public and private sectors need to continue to invest in the next generation of cyber professionals to combat the persistent threat of bad actors regardless of their targets or we risk an imbalance in security that will hinder new evolutions in finance.”

Saryu Nayyar, CEO, Gurucul (she/her): 

   “This must be a hacker with a sense of humor, although the actual loss of data is by no means funny. It’s ironic that the trading app Robinhood was hacked, with the possible loss of information on up to seven million users in a ransomware attack. After all, the historical Robin Hood was renowned for robbing from the rich and giving to the poor. We’re guessing that those who did the hack aren’t going to give it to the poor.

   “It remains to be seen which group is responsible, and whether or not Robinhood paid the ransom, so this remains a developing story. And while it’s not easy to hack millions of records out of a system, it seems to happen on almost a daily basis these days. Legitimate customers deserve better protection than they seem to be getting these days.”

Ron Bradley, VP, Shared Assessments:

   “In the 1984 movie Beverly Hills Cop, a famous Eddie Murphy quote, “Look, man, I ain’t fallin’ for no banana in my tailpipe!.”  So what does this have to do with the Robinhood hack?  This is a prime example of social engineering which has been around for decades. While technical controls help us to guard against threat actors, there will always be instances where someone will fall for a ruse.

   “In this particular case, the type and number of records reportedly compromised aren’t particularly alarming to me. The fact is, anyone reading this column most certainly has had their data compromised in one fashion or another. The good news is, there were no reports of passwords being stolen which would change the equation. Regardless, this is just another reminder of the importance in not reusing credentials across multiple platforms. Particularly those which involve financial transactions.

   “There’s no substitute for implementing multi factor authentication, password managers, and good cyber hygiene to reduce the blast radius in the case where personal information is part of a data breach or even a targeted attack.”

  Rajiv Pimplaskar, CRO, Veridium

   “Financial services and e-commerce consumer accounts are a magnet for bad actors to exploit as they offer easy access to money as well as PII (Personally Identifiable Information) that can be later misused. Password sharing is often domain specific and an individual is more apt to share passwords between their financial accounts making lateral movement easier and facilitate a larger number of breaches.

   “While traditional 2FA (Two Factor Authentication) can mitigate the issue, it still doesn’t solve for the MITM (Man In The Middle) attacks where phished authentication credentials can be introduced into an alternate compromised channel enabling the fraudster to take control.

   “BFSI (Banking, Financial Services and Insurance) companies as well as retail industry need to mandate passwordless customer authentication methods leveraging W3C WebAuthN and FIDO alliance standards. These methods establish an unphishable relation between the user and their account, making the environment immune to such data breaches and ransomware incidents. Furthermore, such solutions are easier to use and more cost effective to operate enabling great adoption.”

Garret Grajek, CEO, YouAttest:  

   “Data breaches are the outcome of the constant scanning, exploring and probing that are being done on all internet resources today. Attackers use automated tools for 24/7 scanning – they then automate mapping to vulnerabilities and map exploitation tools to the discovered vulns. This is why zero-day hacks are, by nature, ahead of the patches: bad actors find the vulnerability before vendors have identified them, let alone patched them. It’s essential to use hardened platforms and adhere to solid security practices like the NIST 800-53, PR.AC-6, the principle of least privilege. We must assume our sites and the credentials themselves will be hacked and ensure that each identity provides the least amount of exposure to the enterprise resources. This is best practiced through identity triggers and reviews which help an enterprise discover over-privileged identities and malicious changes to permissions of compromised identities.

Robinhood has some explaining to do. And I suspect that many, many people will be asking them to explain themselves.

UPDATE: I have one more comment from Anurag Gurtu, CPO, StrikeReady

Recently, Robinhood has been under intense scrutiny. Earlier this year, it halted the trading of meme stock and got retail traders furious when they were not able to sell the stock, which caused the price of these stocks to crash quickly. The SEC has been investigating since then to determine if Robinhood was colluding with Citadel to halt trading in these stocks, considering Citadel is one of Robinhood’s largest customers and holds large short positions against these meme stock.  

And with the current breach, Robinhood’s situation has gotten worse. Individuals in the retail trading community, who are outraged, now have to deal with their PII being compromised. Retail traders are not using Robinhood as evidenced by its stock taking a nosedive post earnings. The monthly active users have declined by 11% and these users are moving to other platforms for crypto trading.

Leave a Reply

%d bloggers like this: