“Fresh DUMP Active accounts with orders! MAIL access only!”
Dominitz explained a typical hack may work like this:
After commandeering a victim’s email, the thief requests a new password for the brokerage account and then intercepts the email sent in response, effectively locking out the account owner before they notice a problem.
Some marketplaces are selling other information that could provide a different way of hacking into customer accounts. One of them advertised remote access to a laptop that had been infected with malware, revealing active Robinhood credentials.
Locked Out
Robinhood customer Ryan Bordner, an electrical engineer in Spokane, Washington, was among those whose email credentials were sold on the dark web. Like many others, he woke up one morning in mid-August to find he was locked out of his brokerage account.
Bordner, 30, said he later learned from an identity-theft protection service that his email credentials wound up on the dark web following a June breach of another personal-finance app he had set up years earlier and forgotten about. The intruder used that access to change the password of his brokerage account and route all emails from Robinhood to his trash folder.
Hacking has been the latest headache for Robinhood, which was founded seven years ago by Baiju Bhatt and Vlad Tenev and has exploded in popularity this year as Americans stuck at home look to make some money during the pandemic. The no-fee brokerage app has also attracted consumer complaints, with novice investors confused by the vagaries of stock options and margin loans and no one to reach for help by phone.
“We’re working on customer support across the board,” Tenev said in a CNBC interview this week. “We’ve made huge investments and are continuing to make huge investments.”
‘Worst Experience’
Now, even though the firm said it has more than doubled its customer-service team this year, clients complain they’ve struggled to get quick help when their funds are disappearing.
“It was hands-down the worst experience when it comes to customer service,” said Bordner, who only resolved the issues after his account was locked for more than a month.
Meanwhile, the email accounts of Robinhood customers continue to entice hackers, and Dominitz said the problem may be “a hell of a lot” bigger than the 2,000 cases identified during the firm’s internal probe.
“Maybe that’s what they’ve been able to detect internally,” he said. “Maybe that’s what they’re seeing unauthorized activity on already, but that doesn’t mean that is the full scope of what’s been compromised.”
This article was provided by Bloomberg News.