Shares of no-fee trading app Robinhood dropped more than 3 percent in premarket trading Tuesday after the company disclosed that hackers made off with the personal information of more than 7 million users last week in a major data breach.
Robinhood announced Monday evening that the hackers took the email addresses of about five million users and the full names of another roughly two million.
The culprits also exposed more-extensive personal information, including name, date of birth and zip code, for about 300 of the users, the company said.
No Social Security numbers, bank account numbers or debit card numbers were exposed in the breach and no customers have actually lost any money as a result, Robinhood insisted.
“We are in the process of making appropriate disclosures to affected people,” the company said.
Robinhood said it has contained the hack, which took place on Nov. 3, but that the cybercriminals have demanded a ransom payment.
The company said it’s working with law enforcement and cybersecurity firm Mandiant to investigate the incident.
The hacker gained access to Robinhood’s customer support systems by tricking an employee in a phone call, the company said.
“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” Robinhood chief security officer Caleb Sima said in a statement.
“Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”
Shares of Robinhood were more than 3 percent lower on Tuesday morning, trading at $36.78 per share as of 8:45 a.m. ET.
Robinhood previously warned in disclosures with the Securities and Exchange Commission that due to the COVID-19 pandemic there is an “increased risk that we may experience cybersecurity-related incidents as a result of our employees, service providers and other third parties working remotely on less secure systems and environments.”
In the same July filing, Robinhood disclosed that New York’s Department of Financial Services was investigating the company’s cybersecurity practices and found violations of state requirements at its cryptocurrency arm.
Robinhood said it reached a settlement with the state regulator and expected to pay a $30 million penalty.