Robinhood said Monday it was hit by a data breach earlier this month that exposed information on millions of customers and that hackers later demanded an extortion payment.
The trading platform said in a statement that the November 3 attack allowed the unauthorized party to obtain a list of email addresses for about 5 million people and full names for another group of about 2 million people.
The company said the incident caused a “limited number of people,” approximately 310 in total, to have their names, dates of birth and zip codes exposed. About 10 customers had “more extensive account details revealed,” Robinhood said, without elaborating.
“We believe that no Social Security numbers, bank account numbers or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident,” the company said in the statement.
After Robinhood contained the intrusion, “the unauthorized party demanded an extortion payment,” according to the statement. The company said it “promptly” informed law enforcement but did not indicate whether it complied with the extortion payment demand.
Shares of Robinhood were down about 3% in after-hours trading Monday.
The unauthorized party gained access to Robinhood’s customer support systems by posing as a customer support employee by phone, the company said.
Robinhood said it is in the process of making “appropriate disclosures to affected people” and is continuing to investigate with the help of security firm Mandiant.
“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” Caleb Sima, Robinhood’s chief security officer, said in the statement. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”