The dark web is the underbelly of the internet, where cyber-criminals hunt for drugs, demand ransom and engage in trafficking.
It’s also where hackers can buy and sell email credentials to access customer accounts at Robinhood Markets, the online brokerage that has drawn millions of users this year, many of them young and trading stocks for the first time.
Access to more than 10,000 email login credentials allegedly tied to Robinhood accounts were available for sale this week, according to a Bloomberg review of dark web marketplaces. The number of Robinhood-related emails outnumber those for other brokerages by about 5-to-1, according to Eli Dominitz, chief executive officer of Q6 Cyber, an e-crime intelligence firm that analyzed the prevalence of these advertisements on the dark web.
“If they feel that Robinhood gives them greater upside than trying to steal money from Bank of America, that’s what they’re going to do,” Dominitz said of the cyber-criminals and why there may be more demand for Robinhood accounts over other brokerages.
Robinhood customers have complained for months that their accounts have been hacked and that they’ve struggled to get the company to respond. An internal investigation found almost 2,000 accounts were compromised as a result of hacked emails, a person familiar with the matter said this month.
Robinhood emphasized that it’s not the only brokerage subject to such attacks.
“It is not uncommon for cyber-criminals to target customers of financial-services companies by attempting to use information sourced from the dark web,” Robinhood said in an emailed statement, adding that the information is often inaccurate and that a stolen email alone isn’t enough to compromise a brokerage account.
The firm said there are no signs its systems were breached and it employs several security measures, while encouraging customers to enable two-factor authentication. Robinhood has also promised to fully compensate customers if the company determines they lost money because of unauthorized activity.
The availability of client credentials on the dark web highlights the challenge brokerages face in the COVID-19 era, as a boom in online trading has been accompanied by increased opportunities for cyber-criminals.
Bloomberg also found data linked to almost 1,000 TD Ameritrade Holding Corp. accounts on a marketplace called SlilPP, which is known for hawking stolen banking and financial-services credentials.
“Cyber criminals are constantly evolving their tactics, and we work very hard to stay one step ahead of them,” TD Ameritrade spokeswoman Christina Goethe said in an emailed statement, noting that the company also offers security measures, including two-factor authentication.
The data peddled on dark web marketplaces is typically accurate, though it’s unclear whether all of the credentials are tied to genuine brokerage accounts, according to Dominitz, who works with other financial firms to monitor threats.
One of the latest offers to buy access to Robinhood accounts came Wednesday with each credential available for as little as US$3.50.
“Fresh DUMP Active accounts with orders! MAIL access only!”
Dominitz explained a typical hack may work like this:
After commandeering a victim’s email, the thief requests a new password for the brokerage account and then intercepts the email sent in response, effectively locking out the account owner before they notice a problem.
Some marketplaces are selling other information that could provide a different way of hacking into customer accounts. One of them advertised remote access to a laptop that had been infected with malware, revealing active Robinhood credentials.
Robinhood customer Ryan Bordner, an electrical engineer in Spokane, Washington, was among those whose email credentials were sold on the dark web. Like many others, he woke up one morning in mid-August to find he was locked out of his brokerage account.
Bordner, 30, said he later learned from an identity-theft protection service that his email credentials wound up on the dark web following a June breach of another personal-finance app he had set up years earlier and forgotten about. The intruder used that access to change the password of his brokerage account and route all emails from Robinhood to his trash folder.
Hacking has been the latest headache for Robinhood, which was founded seven years ago by Baiju Bhatt and Vlad Tenev and has exploded in popularity this year as Americans stuck at home look to make some money during the pandemic. The no-fee brokerage app has also attracted consumer complaints, with novice investors confused by the vagaries of stock options and margin loans and no one to reach for help by phone.
“We’re working on customer support across the board,” Tenev said in a CNBC interview this week. “We’ve made huge investments and are continuing to make huge investments.”
Now, even though the firm said it has more than doubled its customer-service team this year, clients complain they’ve struggled to get quick help when their funds are disappearing.
“It was hands-down the worst experience when it comes to customer service,” said Bordner, who only resolved the issues after his account was locked for more than a month.
Meanwhile, the email accounts of Robinhood customers continue to entice hackers, and Dominitz said the problem may be “a hell of a lot” bigger than the 2,000 cases identified during the firm’s internal probe.
“Maybe that’s what they’ve been able to detect internally,” he said. “Maybe that’s what they’re seeing unauthorized activity on already, but that doesn’t mean that is the full scope of what’s been compromised.”