Hackers look to buy brokerage log-ins on the dark web with Robinhood fetching highest prices

Key Points
  • Dozens of brokerage log-ins are for sale on the dark web with portfolios ranging in the low thousands to a half million dollars, according to security analysts and listings seen by CNBC.
  • Robinhood accounts tend to list at higher prices, which analysts say might suggest hackers view these accounts as easier to break into.
  • “Money, the promise of money, the announcement of money to be had and the bragging about money obtained are all simply chum in the water for bad actors,” says Richard Bird of Ping Identity.
athima tongloom

As a new generation of investors flock to the stock market, criminals are looking for ways to exploit them. 

Hackers have turned to the dark web, where log-ins for accounts at major brokerage firms are listed for sale, according to security analysts and listings seen by CNBC. 

For just a few dollars, criminals are selling credentials for customers of E*Trade, Charles Schwab, TD Ameritrade, Robinhood and others, according to New York-based security firm Intsights. The demand has only increased during the pandemic, according to the firm's chief security officer Etay Maor.

"You have more people wanting to do more online from home, and on the other hand the attackers who are actively looking and seeking to take advantage of this situation," Maor told CNBC. "What you end up with is a lot of credentials, and a lot of information being bought and sold on the criminal underground."

The list of vulnerable accounts range from social media sites, to payments app Square, and trading start-up Robinhood. But Robinhood tends to fetch higher prices, according to multiple screenshots of the listings seen by CNBC.

"They were on a higher price point which leads us to believe they were probably easier to get the credentials for and get in, or easier to cash out," Maor said.

Social media bait

Another reason Robinhood may be more valuable in the eyes of hackers is their clients' use of social media. By "trumpeting success" on Twitter and Reddit, they are likely putting targets on their backs, according to Richard Bird, chief customer information officer at Ping Identity. The online bait creates "exactly the kind of environment that hackers love."

"Bad actors are simply paddling to where the easy money is, following that trail of hype, news and self-aggrandizement like sharks hunting harbor seals," Bird said. "Money, the promise of money, the announcement of money to be had and the bragging about money obtained are all simply chum in the water for bad actors."

Robinhood has helped facilitate the introduction of new, millennial investors to the stock market this year. The start-up added 3 million accounts in the first few months of the year, and has at least 13 million users, according to the company's last public disclosure. In June, Robinhood said it saw 4.3 million daily average revenue trades -- outperforming all of the publicly traded, incumbent brokerage firms. 

With that growth, Robinhood has also seen an uptick of mentions of the terms "fraud" and "hack" in reviews for its product in the Apple and Google app store, according to research firm Apptopia. The mentions of "hack" quadrupled from the comparable nine-month period last year, while "fraud" mentions doubled. 

A Robinhood spokesperson said the start-up had seen instances of accounts targeted by bad actors this year. But hacks did not stem from a breach of Robinhood's systems, according to the company.

"A limited number of customers appear to have had their Robinhood account targeted by cyber criminals because of their personal email account (that which is associated with their Robinhood account) being compromised outside of Robinhood," a company spokesperson told CNBC. "We're actively working with those impacted to secure their accounts."

This week, "in an effort to help customers continue to protect their accounts," the start-up rolled out communications with customers via push notifications related to account security actions. That includes reminders about setting up two-factor authentication, verifying personal information and encouraging stronger passwords. 

The spokesperson pointed to an overall increase in targeted cyber crime, which multiple government agencies have warned against this year.

The Securities and Exchange Commission issued a notice to brokerage firms in September describing these types of attacks and specifically highlighted credential sales on the dark web. The Treasury Department Financial Crimes Enforcement Network, or FINCEN, said there have been more than 60,000 reports of identity-related cyber crime since February. Each month during the pandemic, the agency said it is seeing roughly $1 billion worth of financial crimes.

Hackers can find most of what they need to break into someone's account on the dark web, which requires specific software or authorization to access. Criminals might take previously known username and passwords, and try using it on a brokerage site. Phishing, another type of attack, results from an email link that if clicked, could enable a hacker to take over your computer and log in from there. Some sell access to entire computers that have been compromised. Intsights said they have seen access to logins being sold in bulk for discounted prices ranging from $3 to $30.

Robinhood and Covid-19 brought millions of new traders to Wall Street
Robinhood and Covid-19 brought millions of new traders to Wall Street

Locked out, 'no one to call'

CNBC spoke to four Robinhood users who said they were recently locked out of their accounts, and some claimed their portfolios had been drained. The clients said they couldn't determine whether it was the result of their credentials being used from the dark web, or phishing. But they described frustration in their communication with Robinhood. 

Jason Albert, a special education teacher from Steelton, Pennsylvania, said he built his portfolio up to $10,000 since joining Robinhood in January. Albert said his account was compromised in May after noticing what he described as "strange things," such as his balance dropping by $1,000. The fifty-year-old school teacher said he had not been refunded. 

Alex, a 25-year-old business student in New York, told CNBC he had $1,400 in holdings when his Robinhood account was hacked in June. He requested his last name not be used for privacy reasons. Notifications began popping up that his holdings were being sold, and he was locked out of his account. Multiple tickets and emails to Robinhood went unanswered. After failed attempts to reach Robinhood, Alex said his bank ultimately restored the money to his account.

Thirty-six-year old Nate Heard said he was scrolling through his Robinhood app in September, as he does multiple times per day, when he was abruptly logged out. The California-based railroad engineer thought it was a mistake. He couldn't get back in. Notifications began popping up on his iPhone, showing his Tesla and Apple shares being sold by someone else.

"I thought it was a glitch -- but then once I saw the shares being sold, I knew my account was hacked," Heard told CNBC in a phone interview. After two weeks of emailing, Heard eventually got in touch with Robinhood. 

A Robinhood spokesperson told CNBC the app's policy is to immediately restrict an account and investigate it for unauthorized access, and to log out of all devices and the customer is requested to change their password. And the lack of phone calls is by design. 

"We've found that, currently, we're best able to reach customers quickly over email," the Robinood spokesperson said.