Investment and stock trading app Robinhood saved some user information, including passwords, in plain text on internal systems, the company revealed today. This particularly dangerous error could have put the users seriously, even though it says it has no evidence that the data was being accessed incorrectly. Change your password now.
Sensitive data such as passwords and personal information are generally encrypted at any time. That way, if the worst happened and a company's databases were exposed, all the attacker would get a bunch of rubbish. Unfortunately, it seems that there may have been a few exceptions to this rule.
A number of users, including CNET's Justin Cauchon received the following message from Robinhood in an email:
When entering a password for your Robinhood account, we use an industry-standard process that prevents someone in our company can read it. On Monday night, we discovered that some user information was stored in a readable format in our internal systems. We wanted to let you know that your password may have been included.
We solved this problem and found, after thorough review, no evidence that this information was accessed by anyone outside our response team.
It seems that if it was really "industry standard", then the rest of the industry had also stored passwords in plain text. Come to think of it, it will explain a lot, since Google, Facebook, Twitter and others have all managed to make the same mistake lately.
A Robinhood representative stressed how quickly the company's response to the problem was, even though they would not comment on how they were first discovered, nor how long the data was stored that way, nor the deviation from those industry norms. The problem, or how many users were affected, nor the answers to those questions would ever come. They made the following statement:
We quickly solved this problem with information logging. After a thorough review, we found no evidence that this customer information was opened by anyone outside our response team. By an abundance of caution, we have alerted customers who may have been affected and encouraged them to reset their passwords. We take our responsibility to customers seriously and put a huge focus on working to ensure that their information is secure.
If you received an email, you were among the unfortunate
get many majority handfuls someone, then change the password. If you didn't receive an email … also change your password. You can never be too careful.