Almost 2,000 Robinhood Markets accounts were compromised in a recent hacking spree that siphoned off customer funds, a sign that the attacks were more widespread than was previously known.
A person with knowledge of an internal review, who asked not to be identified because the findings aren’t public, provided the estimated figure.
When Bloomberg first reported on the hacking spree last week, the popular online brokerage disclosed few details. It said “a limited number” of customers had been struck by cyber-criminals who gained access by breaching personal email accounts outside of Robinhood, an assertion that some of the victims acknowledge and others reject.
The attacks unleashed a torrent of complaints on social media, where investors recounted futile attempts to call the brokerage, which doesn’t have a customer service phone number. Robinhood, which has more than 13 million customer accounts, is now considering whether to add a phone number along with other tools, the person said.
“We always respond to customers reporting fraudulent or suspicious activity and work as quickly as possible to complete investigations,” the company said in an emailed statement. “The security of Robinhood customer accounts is a top priority and something we take very seriously.”
This week, Robinhood sent push notifications to users suggesting they enable two-factor authentication on their accounts. It also plans to send customers more advice on security, according to the statement.
Several victims said they found no sign of criminals compromising their email accounts. And some said their brokerage accounts were accessed even though they had set up two-factor authentication.
Lena Williams, a human resources professional in the Chicago area, can’t figure out how hackers got into her account more than a month ago. She found no intrusion into her email and had set up two-factor authentication. But one day, she woke up to alerts that her investments were being sold, and she quickly discovered she was locked out of the account.
Robinhood has said it will work quickly with customers to secure their holdings. Williams said her account was hit Sept. 10 and that her repeated emails and a Twitter message weren’t returned until Thursday.
Miah Brittany Laino, who works at a home-improvement store in Arizona, thought her account was safe for several reasons. She said two-factor authentication initially blocked someone from accessing it on Sept. 13. She then followed Robinhood’s instructions to change her password. The firm said it would prevent trading until she submitted her identification. She didn’t bother to send it in, figuring it would be safer to leave the account disabled.
Early the next morning she received a barrage of alerts on her phone. “It said ‘This stock sold. This stock sold. This stock sold,’” recalled Laino, 29. “It’s like if you wake up at 4 a.m. and your house is on fire.”
Unable to find a phone number, Laino said she emailed customer support but received no response. Then she checked her email’s trash bin and discovered someone had accessed it, setting it up to intercept messages from Robinhood. Laino said she got a call from customer support on Sept. 25. That’s when she learned someone had created fake identification and submitted it to Robinhood to reactivate trading. The forgery had her information, a photo of a different person and a font that doesn’t match Arizona’s official state IDs.
Laino said Robinhood restored her account and stock holdings, but she still plans to eventually leave the firm.
“I don’t want to sell right now,” she said. “But I’m not going to put any more money into it. I don’t really trust them.”
Robert Riachi, 23, is still in limbo.
He said his email was compromised more than a week ago and that thousands of dollars went missing from his Robinhood account. Its customer support team asked him to provide ID, but Riachi said that since submitting it he hasn’t received updates. Each time he asked for one, he got a new case number and now has about 10 of them, he said, noting three are active.
Riachi, a software engineer in Montreal, said he had four years of savings in his account and doesn’t know whether they’re gone because he’s locked out. If he gets the money back, he plans to move his account to Charles Schwab Corp.
“I feel like my money could be put somewhere else, somewhere that has a human person that I can talk to,” Riachi said. “It’s kind of ridiculous that an investment app that’s handling people’s livelihoods, people’s money, has the audacity to make people wait several weeks to hear back anything.”