Nearly 2,000 users of stock trading and investment app Robinhood are the latest victims of a steady string of financially motivated cyber-attacks.
Since 2019, Robinhood users have been reporting attacks that result in personal stocks being sold off and money transferred to fraudulent accounts. This week’s incident leads us to believe that the attacks were more widespread than previously indicated.
According to a Bloomberg report, one user who suffered a breach found deleted emails in her account that communicated with Robinhood about account changes, confirming that her email had been compromised by a bad actor and used to message the platform. The same user also discovered that someone had submitted fake photo identification for her account.
It does not appear that Robinhood’s systems were breached to gain access to accounts. Evidence points to bad actors either obtaining user credentials outside of Robinhood systems (i.e., credential stuffing) or gaining access to users’ email accounts via phishing and then initiating actions to change passwords and take over the user’s Robinhood account.
How to Protect Your Account from Bad Actors
To safeguard your Robinhood account from ongoing threats, we recommend the following:
- Use unique passwords for all of your online accounts, especially sensitive ones like email, banking, and trading apps.
- Use a password manager like LastPass, Dashlane, or 1Password to manage passwords. Secure your password manager with a unique and distinct password.
- Enable 2FA authentication on your Robinhood account, email, and all accounts with sensitive information.
- Verify that you have access to your Robinhood account and that all information is correct.
- Be aware of phishing attempts to gain access to your account. As stated on their web site, Robinhood Support will never:
- Send you links within text messages
- Ask for your account password or 2FA codes
- Ask you for information or credentials regarding your accounts on other trading platforms or services
- Request that you download remote desktop access software
Back in September, the SEC warned of an increase in credential stuffing attacks on the financial sector, including banks, financial services providers, insurance companies, and investment firms. As the threat landscape continues to evolve, contact us to have deeper conversation about protecting your personal accounts, your clients, and your firm from cyber-attacks. We’re here to help.