American financial services company Robinhood Markets Inc. said on Monday that personal information of about 7 million people -- or roughly a third of its customers -- was compromised in a data breach last week and that the culprit demanded payment, Bloomberg News reported.
The intruder obtained email addresses of about 5 million people as well as full names for a separate group of about 2 million, Robinhood said in a statement.
For some customers, even more personal data was exposed, including names, birth dates and ZIP codes of about 310 people, and more extensive information belonging to a group of about 10, the company stated.
The Menlo Park, California-based brokerage said it believes no Social Security, bank account or debit-card numbers were exposed during the November 3 incident, nor that customers incurred financial losses.
The hacker made threats about what would be done with the compromised information, although it wasn’t a ransomware attack, said a Robinhood spokesperson, who declined to say whether the firm paid the perpetrator.
The attack hinged on a phone call with a customer service representative, whom the intruder used to gain access to support systems, according to the statement. Robinhood said it contained the breach, notified law enforcement and enlisted security firm Mandiant Inc. to investigate the breach.