November 3 data security incident

Late in the evening of November 3, we experienced a data security incident. An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers. Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.

The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We’re in the process of making appropriate disclosures to affected people.

We promptly informed law enforcement and are continuing to investigate the incident with the help of Mandiant, a leading outside security firm.

We are in the process of making appropriate disclosures to affected individuals. The safety and security of your account is of the utmost importance to us and we will continue to monitor the security of our networks on a 24/7 basis.

We encourage you to enable two-factor authentication (2FA) with an authenticator app in the app to help protect your account. You can find out how to set up 2FA here.

Phishing scams are common and often fraudsters will impersonate financial firms. Here are several precautions and actions you can take to keep your account and information safe.

1. Log in to the app to view important messages. Avoid links in security alert emails, which can direct you to fake sites that capture your account and personal information. When in doubt, log in to view messages from Robinhood—we’ll never include a link to access your account in a security alert.
2. Request 24/7 phone support in-app. Right now, the only way to get phone support is to log in to the app and request a call from an agent—we’ll give you the number we’ll call you from so you know it’s us and not spam. If you see activity you don’t recognize on your account: Account > Help > Contact Us.
3. Engage only with our verified social media accounts. We’ll never reach out with investment guidance over social media or ask you to send money. See our verified handles.
4. Report suspected phishing scams. Forward these to reportphishing@robinhood.com. Note that this is for reporting purposes only—you will not receive a response from our team.

As a best practice, you should also use a unique password for your email account and turn on two-factor authentication. Double check the sender on emails with links, attachments, or where the sender is requesting sensitive actions or personal information. When possible, login directly via web browser or application instead of logging in via links.

To learn more, check out these articles on Account Security and How to Identify & Report Scams.