More than a week after popular investment and trading platform Robinhood revealed that hackers had obtained access to a “limited amount” of its customers’ personal information, the company has now stated that some of the stolen information included thousands of phone numbers.
In a Tuesday blog update, Robinhood said that the list obtained by the hackers—which contained email addresses for about five million people and full names for a different group of roughly two million people—included “several thousand entries” with phone numbers. Although the company did not reveal how many phone numbers were on the list, Motherboard reported that it’s about 4,400.
Motherboard got a copy of the stolen phone numbers “from a source who presented themselves as a proxy for the hackers.” In a statement to the outlet, Robinhood did not confirm whether the phone numbers Motherboard had obtained were authentic but did acknowledge that the stolen information included thousands of phone numbers.
It also pointed out that it was analyzing other “text entries,” which presumably refers to customer information, in the list.
“[T]he list also contains other text entries that we’re continuing to analyze,” Robinhood said in its blog update. “We continue to believe that the list did not contain Social Security numbers, bank account numbers, or debit card numbers and that there has been no financial loss to any customers as a result of the incident. We’ll continue making appropriate disclosures to affected people.”
Gizmodo reached out to Robinhood on Wednesday and asked if it had any update on whether sensitive personal information had been obtained by hackers and was pointed to the company’s blog on the issue, which we included above.
The hack on Robinhood originally took place on Nov. 3 and was carried out using a social engineering scheme. The nefarious plan involved the hackers convincing a customer support employee over the phone that they had permission to access “certain customer support systems.” This gave the hackers access to roughly five million customer email addresses and two million full names.
In addition, at that time the company also said that the hackers had obtained information including name, date of birth, and zip code for 310 people. About 10 customers had more “extensive” account details revealed, although the company did not define what information it included under “extensive.”
After obtaining customer data, the hackers demanded an extortion payment. Robinhood proceeded to get in touch with authorities and contract the security firm Mandiant to help it investigate the incident.
Running off with stolen email addresses and names was already alarming since they can be used by cybercriminals to obtain even more data about you and compromise your accounts. However, as Motherboard rightly points out, phone numbers are especially risky to lose because hackers can use them to trick the multi-factor authentication on your phone or send phishing messages from your device.
This is all just a reminder that we should turn off our phones, put them in a box, and never use the internet again. But that’s not going to happen, is it?