Late in the evening of November 3, we experienced a data security incident. An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.
The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.
After we contained the intrusion, the unauthorized party demanded an extortion payment. We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.
“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood Chief Security Officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”
If you are a customer looking for information on how to keep your account secure, please visit Help Center > My Account & Login > Account Security. When in doubt, log in to view messages from Robinhood—we’ll never include a link to access your account in a security alert.
Cautionary Note Regarding Forward-Looking Statements
This blog post contains forward-looking statements regarding Robinhood Markets, Inc. and its consolidated subsidiaries (“we,” “Robinhood,” or the “Company”) including our efforts to investigate and remediate the data security incident and our attempts to identify and provide appropriate disclosures to affected customers, among others. Our forward-looking statements are subject to a number of known and unknown risks, uncertainties, assumptions, and other factors that may cause our actual future results, performance, or achievements to differ materially from any future results expressed or implied in this blog post. Factors that contribute to the uncertain nature of our forward-looking statements include, among others, our ongoing investigation of the incident; our vulnerability to additional data security incidents; adverse legal, reputational and financial effects on the Company resulting from the incident or additional data security incidents; and potential operational disruptions as a result of the incident. Because some of these risks and uncertainties cannot be predicted or quantified and some are beyond our control, you should not rely on our forward-looking statements as predictions of future events. More information about potential risks and uncertainties that could affect our business and financial results is included in Part II, Item 1A of our Quarterly Report on Form 10-Q for the quarter ended September 30, 2021 as well as our other filings with the Securities and Exchange Commission (“SEC”), which are available on the SEC’s web site at www.sec.gov. Except as otherwise noted, all forward-looking statements are made as of the date of this blog post and are based on information and estimates available to us at this time. Except as required by law, Robinhood assumes no obligation to update any of the statements in this blog post whether as a result of any new information, future events, changed circumstances, or otherwise. You should read this blog post with the understanding that our actual future results, performance, events, and circumstances might be materially different from what we expect.