Cybersecurity experts monitoring the dark web report that hackers who stole the personal data of millions of Robinhood customers also accuse the platform of lying and intentionally omitting the fact that the attack had exposed the ID cards of some members as well.
Earlier this week, the popular trading platform revealed a data breach had leaked details of more than seven million customers.
However, privacy watchdog Privacy Affairs reports that writing on a popular hacker forum, the alleged hackers accused Robinhood of downplaying the severity of the breach.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
“At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people,” wrote Robinhood in a blog post disclosing the breach.
More than meets the eye
While Robinhood admitted that it gathers sensitive information about its users as part of the regulatory requirements, including social security numbers and financial information, it claimed this data wasn’t leaked in the breach.
However, the alleged hackers insisted that they had managed to get their hands on customer ID cards from SendSafely, a file transfer system used by the platform during customers’ Know Your Customer (KYC) verification process.
When Privacy Affairs confronted Robinhood with the hacker’s claims, the platform admitted that it had indeed lost the ID cards of a handful of users, something Privacy Affairs notes that the platform had not shared in its original post.
“As we disclosed on November 8, we experienced a data security incident and a subset of approximately 10 customers had more extensive personal information and account details revealed. These more extensive account details included identification images for some of those 10 people,” a Robinhood spokesperson told Privacy Affairs over email.
A leak is a leak
Even without the ID cards, cybersecurity experts TechRadar Pro spoke to believed that even the supposed non-sensitive data, names and email address, could pose a serious threat to the concerned individuals.
Marcus Guidry, senior cyber threat intelligence analyst at security firm Pondurance says cyber criminals can collect the other missing pieces of information with the help of dossiers already compiled by marketing firms, and readily available in underground marketplaces on the dark web.
“Worse, they can easily purchase stolen credentials from leak sites owned by initial access brokers (IABs). If a threat actor already has your email, then chances are very high that the same email address already has a presence on at least one or more social media sites,” says Guidry.