When a Hacker Calls: How Robinhood Fell Victim to a Vishing Raid

The call was coming from inside the company.

Or so it seemed when the mobile phone of a customer-service representative for Robinhood Markets Inc. lit up on the evening of Nov. 3. More than an hour passed — on and on the conversation ran, as the caller reeled in the hapless employee.

By the time it was over, that one Robinhood rep had unwittingly handed over keys to the personal information of about 7 million customers, in what’s now believed to be one of the biggest retail brokerage cyber-breaches of all time, by number of accounts affected.

Robinhood didn’t learn of the lapse until the rep got home and told a relative about the strange call — and was promptly advised to escalate it, according to a person familiar with the matter. Only then did the employee inform the company, whose free trading app caught fire with young people buying meme stocks, options and crypto during the pandemic, at times with devastating results.

Robinhood declined to comment on the agent’s performance. It said separately that, to its knowledge, no Social Security numbers or data about debit cards or bank accounts were compromised. Nor did customers incur financial losses, according to the firm…