Robinhood Hacked - 7 Million Accounts Hit
[Zene] [Zene] [Zene] Don't you hate when you buy a stock and right afterwards they hack and your money goes up in flames? Me and that's why we have to talk about the recent data breach that just impacted 7 million Robinhood customers: how to tell if your information was hacked, if this is something to worry about, and how you can best protect yourself against the bad guys stealing your money. Because I gotta say, I'm surprised that more people aren't talking about this. And if you are one of the people affected, there are several ways to keep your account safe that I use myself.
Because, sir, this is a casino where nothing is considered private. All right? No, but really, on a serious note, I had my account hacked in almost the exact same way. Since then, I've taken extraordinary measures to keep all of my information completely private, of which I'm about to share with my half million subscribers publicly, so that'll be fun.
Anyway, all of that and more on this episode of Everyone is too busy making videos on Elon Musk selling Tesla to pay attention to anything else. Although, before we begin, as usual, if you appreciate this information or you find it helpful in any way, just do me a quick favor and breach that like button for the YouTube algorithm by making it turn blue. You can also feel free to subscribe since I post three videos every single week, and I won't leak your data. So thank you guys so much! And now, with that said, let's begin.
All right, so in terms of where this starts, yesterday Robinhood revealed that a third party was able to obtain access to some of their customer information, including names, email addresses, and some other personal details. As they say, the unauthorized party obtained a list of email addresses for approximately 5 million people and the full names for a different group of approximately 2 million people.
We also believe that for a more limited number of people, approximately 310 in total, additional personal information including name, date of birth, and zip code was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.
Now, thankfully, they do clarify that based on our investigation, the attack has been contained and we believe that no social security numbers, bank account numbers, or debit card numbers were exposed, and that there has been no financial loss to any customer as a result of the incident. Of course, you might be wondering, but GR, how could this happen in the first place?
Well, a month ago Robinhood finally implemented something that we have been asking for for years, and that would be phone support. Now even though most of us are antisocial and rarely use the telephone anyway, 24/7 support with a real-life human being is incredibly important. Because let's be honest, we're tired of getting the same template email response over and over again when a person would be able to solve the entire issue in a few clicks.
So on October 5th, they did just that. Throughout the last month, if you wanted to talk to somebody about why their stock price won't seem to go above $0 anymore, you could request a call within the Robinhood app and get a call back usually within about 30 minutes. On top of that, they used this as an opportunity to become the first cryptocurrency brokerage with phone support, a change which I hope eventually comes to Coinbase because their customer service is absolutely horrific, but I'll save that for another video.
Anyway, as part of their phone support initiative, Robinhood tripled the size of the internal team and have also tapped a large number of contractors to handle phone support, and that is where some of the problems begin. As Robinhood says, the unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems.
Or in other words, since Robinhood had contracted out a large portion of their phone support, a hacker pretended to be a part of the customer support team over the phone. They knew just enough about the person that they were impersonating to gain access to Robinhood's information—and possibly your information too.
To me, it's a huge misstep that their phone staff was vulnerable to such an attack, or that they would have open access to so much information without the proper protocols in place to prevent this from happening. Now in Robinhood, we don't know the exact details, and perhaps this could be an inside job or something that's far, far deeper than we're even aware of, but most likely, I'm just assuming a portion of their phone staff is remote.
Perhaps there wasn't a strong enough way to verify the person behind the phone before gaining access to information, leading to a data leak. But again, that's just a wild guess. To make matters worse, the person behind the theft of data demanded payment not to release the stolen information. Apparently, in a statement email to The Verge, the Mandan security firm recently observed this threat actor during a limited number of security incidents, and we expect that they will continue to target and extort other organizations over the next several months.
In either case, the aspect of social engineering where someone pretends to be somebody else—kind of like a dude playing a dude disguised as another dude—is extremely important to be aware of. Because if enough of your information is made public, there is nothing stopping a random stranger from gaining access to your accounts and then doing whatever they want.
And that's what's happened to me. When I got hacked one evening, I looked down at my phone and got a weird message from T-Mobile that my SIM card had been updated, and if I didn't make the change, to contact T-Mobile directly.
Now almost instantly, before I had any time to comprehend what was going on, my cellphone service immediately cut out. That was around the time I noticed that all of a sudden, I was locked out of every single one of my accounts. My email passwords were changed, my YouTube password was changed, my bank account passwords were changed, and in about 15 minutes, I lost access to everything.
So I rushed over to T-Mobile to figure out what was going on. When I spoke with the representative, he said that somebody called in, pretended to be me, and knew enough information about me to trick the representative into giving over my SIM card and phone number, which of course could then be used to reset every single one of my passwords. Thankfully, I was able to regain access to all of my accounts and absolutely no information or money was lost.
And it was at that point that someone from T-Mobile told me to enable a secret password verification so that I was the only one that knew it. Without that secret passcode, no one else would be able to gain access to my account ever again. They also took it a step further and put a note in my account that a SIM swap would only be allowed in person with a photo ID.
I also enabled Google Authenticator so that to gain access to my account, they would have to know a randomly changing code every 60 seconds. So I thought it was pretty safe. But 24 hours later—I can't even make this up—my account was hacked again in the exact same way as the first time.
So I went back to T-Mobile, and it turns out that somebody in another state changed my SIM card despite the locks on my account. So that tipped me off that 100% it was an inside job and somebody who worked at T-Mobile was doing this. Since then, I've smartened up a lot, and even though I won't reveal exactly what I do just so I don't open myself up to another attack, I will give you a few ideas to use.
Because let's face it, chances are your information is probably already exposed in one way or another. By the way, if you want to read about these topics as soon as they happen before I'm able to post a full-fledged video on them, feel free to check out my newsletter app down below in the description called the Hungry Bullet. Totally free and takes you just a few seconds.
First, always enable Google Authenticator. This is a totally free service that randomly generates a six-figure code every 60 seconds that's required to log in to certain websites. That means that even if someone was able to obtain access to your phone number, email address, username, and password, unless they physically have access to your phone through facial recognition, they would be unable to log in.
Second, always request that your telephone provider require photo ID in person before changing the SIM card. Even though it's never 100% foolproof—like in my situation—it is just another barrier that will cut down the likelihood of your information ever being released without your consent.
Third, use private burner email addresses that no one has access to, and from there you could link the important accounts to addresses that no one else knows about. That way, if a hacker wants to gain access to your information, they're not even going to know where to look.
Fourth, if you want to be extra protected, get a prepaid burner phone that you never tell anybody about. There are plenty of businesses out there that don't ask you for any personal information or details when they give you a new phone number, meaning your SIM card and phone number are totally traceable, and none of your information is stored in a database.
Fifth, ideally do not link your accounts to your phone number for password recovery. All of my situations could have entirely been avoided. How? Just disable the "reset my password via text" option, which frankly is absolute trash. If you want to protect your accounts, instead you should always redirect passwords to your burner email account. If you forget your passwords on those accounts, well, first of all, don't forget your passwords! But then you could also use your burner phone numbers to retrieve them.
Sixth, you should probably try not to keep all of your information in one basket. I know it's really tempting to have one account that does everything from your banking, credit cards, investments, and cryptocurrency, but try to spread them out throughout different services if you can.
Even for myself, I have multiple stock brokerages, cryptocurrency accounts, bank accounts, and credit cards, and that way it makes it much more difficult for one person to gain access to all of them.
And seventh, since most likely all of your information is already released through the Equifax data breach and other events through the last 10 years, go ahead and freeze your credit scores for free to ensure that nobody steals your identity. This prevents any new accounts from opening up in your name—from credit cards, loans, or anything else that has access to your account.
I'll link to their direct information down below in the description for you to do this, but Equifax, TransUnion, and Experian all allow you to do this on their website for the cost of absolutely nothing. I would say there's literally no reason not to do this; it'll take you like 10 minutes. All the information is down below in the description; just go ahead and do it.
Although, here's the thing. I'm sure a lot of people are going to say, "But GR, I don't care if they just have my email address! What are they gonna do, sign me up for a whole bunch of spam? I don't care!" Here's the deal: your email address by itself is not that big of a deal, but it does make you vulnerable to phishing emails where somebody pretends to be Robinhood and asks you to log in—which then makes it so that they have your username and password.
These types of scams are so common that it's extremely important to verify the sender's information to make sure they're legitimate. Most of the time, it's better to never click links in your email and to always go directly through the app if they ask you to do something.
In terms of whether or not you've been impacted by this breach, it's probably a better idea to assume that you have been just to be on the safe side. But in all reality, it seems as though Robinhood has identified the accounts at risk and has sent them an email explaining what happened. Even though Robinhood believes that no social security numbers, bank account numbers, or debit card numbers were exposed, like I mentioned, do your best to protect your account and always err on the side of caution just so you don't open yourself up to any amount of risk.
This is especially important when millennials are often the ones who want to invest for themselves. As the Wall Street Journal reported, many also want to invest in riskier assets like cryptocurrency and tech startups that mainstream advisors don't offer.
They even gave the example of a 33-year-old who received a $9 million windfall after selling his advertising business but decided against the financial advisor because he thought they put too little effort into explaining how their investments were unique and worth the fees. None of them brought up crypto or real estate, the investments that most interested him. Another 26-year-old is dodging calls from Goldman Sachs because he prefers risky investments that could potentially double or triple his money over those promising market-type returns.
I say this not to try to point out a crazed market bubble, but instead the fact that millennials and Gen Z are recognizing that social capital and attention are factors that need to be taken into consideration. Even though we have no idea how this might pan out in the long term, it should not be ignored.
Because of that, security needs to be just as important as posting the next big YOLO gain on WallStreetBets. By doing the seven suggestions that I just mentioned, your account is going to be that much more secure from Robinhood.
If you agree, just do me a quick favor and hit the like button, and if you found this information helpful in any way, feel free to subscribe because I promise I'm not going to steal any of your information. So with that said, you guys, thank you so much for watching. I really appreciate it!
Also, feel free to add me on Instagram and on my second channel, The Gram Stepan Show. I post there every single day, not posting here. So if you want to be a part of it, feel free to add me on that. Thank you guys so much for watching, and until next time!