clock menu more-arrow no yes

Filed under:

Robinhood says hackers also got thousands of phone numbers

New, 1 comment

The company maintains it doesn’t believe hackers stole SSNs or bank account numbers

Illustration by Alex Castro / The Verge

Robinhood has revealed that “several thousand entries” in a list obtained by hackers included phone numbers, indicating that a November 3rd security breach compromised more information than the company originally reported. More precisely, the list contains around 4,400 phone numbers according to Motherboard, which reportedly obtained the list from a “proxy for the hackers.”

Earlier this month, Robinhood reported that an employee falling victim to a social engineering attack led to hackers obtaining 5 million customers’ emails, and 2 million customers’ names. Additionally, around 300 customers had more details like zip codes and dates of birth stolen, while 10 customers had “more extensive account details revealed.” Phone numbers weren’t mentioned in the company’s original post.

Robinhood told Motherboard that it still believes information like Social Security, bank account, and debit card numbers weren’t compromised, but that it’s also analyzing “other text entries” in one of the lists the hackers obtained. The company also posted this information in an update to its original blog post about the incident and said that it would “continue making appropriate disclosures to affected people.”

This isn’t the first bit of new information to come out since the company originally revealed that it had been hacked. Screenshots reportedly showing the tools and extra information hackers had access to for around 10 accounts were also posted by Motherboard last week, after the publication says they were provided by a source connected to the hackers.

As Motherboard points out, access to Robinhood users’ phone numbers could make the users vulnerable to SIM swapping, or targeted phishing attacks from the hackers or anyone to whom they sold the numbers. It’s also concerning that Robinhood hadn’t released this information until more than a week after it first disclosed the attack. While it’s possible the company wasn’t aware the phone numbers had been taken, that’s not a particularly reassuring explanation.