Financial trading platform Robinhood discovered in an internal review that nearly 2,000 of its clients’ market accounts were taken over by hackers who withdrew thousands of dollars from individual accounts, Bloomberg reported Thursday.
The Menlo Park, California-based company told Fastinform last Friday that only a “limited number” of clients were targeted in a series of external cyberattacks aimed at personal email accounts that were linked to accounts at Robinhood.
Bloomberg, which first reported on the attacks, initially found that at least five Robinhood customers had had their market accounts looted by unauthorized users in recent months. On Thursday, the news organization said some clients’ accounts were hacked despite additional security measures they set up as recommended by Robinhood.
A spokesperson for Robinhood declined to comment on the internal report.
“We always respond to customers reporting fraudulent or suspicious activity and work as quickly as possible to complete investigations,” the company said in a statement to Fastinform. “The security of Robinhood customer accounts is a top priority and something we take very seriously.”
Robinhood disclosed last week that the hacks were isolated cases and did not affect its internal systems. At the time, the startup said it is “actively working with those impacted to secure their accounts.”
In the aftermath of the hacks, the fintech said it reached out to affected clients, urging them to implement stronger security practices such as two-factor authentication on their app and using a stronger password combination for their account.
One user told Bloomberg Thursday that she had already set up two-factor authentication, which requires the user to verify their identity through a secondary device, before she discovered that her account was emptied out Sept. 10.
At least four of the affected clients said they have been in contact with officials at the U.S. Securities and Exchange Commission, the news organization said. Regulators have reportedly complained that many of Robinhood’s clients turn to them for answers after failing to reach the company’s customer service line for help.
Representatives for the SEC could not be reached for comment.
One customer said Thursday that she has regained access to her account after she was locked out by the hacker, but plans to close her account with Robinhood because the incident had broken her trust in the app.
Another told the news organization that he was frustrated after contacting customer service at least 10 times, all to no avail, after he lost thousands of dollars in the hacks.
“It’s kind of ridiculous that an investment app that’s handling people’s livelihoods, people’s money, has the audacity to make people wait several weeks to hear back anything,” the person said.
The cyberattacks against Robinhood clients follow multiple warnings by U.S. law enforcement officials this year that financial institutions are at a heightened risk of being hacked as more people than ever before work from home due to COVID-19.
Robinhood, which reached 13 million users this year, was wildly popular among younger investors even before it launched in 2015, drawing more than 700,000 prospective clients to its waiting list. The company raised $660 million in its latest funding round in September, giving it a valuation of roughly $11.7 billion.
Its meteoric rise, however, has not come without its costs. The hacks mark the third major scandal at Robinhood in as many months as U.S. regulators scramble to rein in the fintech and its disruptive business model.
In late August, a public records request revealed that U.S. regulators and consumer protection agencies received more than 400 complaints against Robinhood, about four times as many as rivals such as Charles Schwab. The fintech is under investigation by the Financial Industry Regulatory Authority and the SEC.
Robinhood also faces up to $10 million in SEC fines over claims that it failed to disclose its ties to high-speed traders such as Citadel Securities. The startup itself does not execute trades of securities; it sells the deals to traders who gain a small commission.
The company first rose to notoriety in June, when a 20-year-old user, Alex Kearns, died by suicide after the app incorrectly displayed a negative balance of over $730,000. In a note, Kearns blamed Robinhood for allowing young people like him to take an untenable amount of risk on the platform.
In the aftermath of Kearns’ death, Robinhood vowed to make improvements to the app to help consumers better “understand the mechanics” of its controversial options trades.
--Additional reporting by Owen Poindexter and Beth Newhart