US share-trading app Robinhood has been hit by a security breach that has exposed the names or email addresses of more than seven million people.
The company says the breach affected “a limited amount of personal information for a portion of our customers”.
And it does not believe the most sensitive information it gathers – US social security numbers and financial information – was revealed.
Robinhood said it had rejected a demand for payment and reported the attack.
Such ransom demands are not uncommon in cyber-attacks and usually amount to a promise not to sell on the compromised data or leak it for free online. The company did not say what terms were involved in its case.
Instead of complying with what it called “extortion”, Robinhood said it had notified law-enforcement authorities and hired an external cyber-security firm to help deal with the incident.
“We owe it to our customers to be transparent and act with integrity,” the company’s security officer, Caleb Sima, said in a published statement.
“Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do,” it said.
The breach happened on 3 November through what’s known as “social engineering” – a specifically targeted and convincing scam designed to trick an employee into divulging login details or other sensitive information.
It affected five million people whose email addresses were compromised and the full names of a further two million.
Robinhood also said a much smaller group of about 310 people had much more information exposed – including names, dates of birth, and US zip codes.
A further 10 or so had “more extensive account details revealed”, it said.
Robinhood is available only to US users and requires them to be over 18, provide a valid social security number, and a valid US address. It is that sensitive information which the company says was not exposed.
The app, which allows for low-volume share trading by ordinary people looking to invest, exploded in popularity earlier this year and was widely used by speculative investors behind the GameStop trading frenzy.