After Robinhood, SaaS Companies at Increased Risk of Social Engineering Attacks | November 2021

Threat actors are targeting SaaS providers with social engineering techniques. Here's what you need to know.


On November 8, 2021, Robinhood notified customers of a security breach that resulted in the theft of data on millions of their customers. The threat actor attempted to extort Robinhood into paying a ransomware in return for a promise of not releasing the stolen data. Current threat intelligence indicates that the threat actors are targeting other SaaS companies using similar techniques. Corvus encourages SaaS companies to maintain vigilance and remind all employees, especially those with access to sensitive data, to keep a watchful eye and not provide information or access to individuals who cannot be verified.

Quick facts: what you need to know now

The following are the facts known to date. While the facts will change as more information is provided, what is currently known provides a good understanding of the key steps the threat actor took. Specifically, the threat actor:

  1. Placed a phone call to a customer support engineer and socially engineered them into believing they were a Robinhood employee.
  2. Gained access to internal customer support systems that stored details on Robinhood customers. This could have been facilitated in a number of ways, though the most likely culprit is the download of malicious software to the customer support employee’s computer.
  3. Exfiltrated information on millions of Robinhood customers.
  4. Contacted Robinhood and demanded a ransom payment to not release the data.

Next steps for all SaaS Companies 

  1. Remind employees to be vigilant. Ensure they:
    1. Do not provide confidential information including company data or passwords to individuals if that individual is not known.
    2. Do not download software to your systems at the direction of an unknown party.
  2. Ensure proper training is provided to users to identify suspicious phishing emails, text messages, and phone calls.
  3. Ensure that an Endpoint Detection and Response Solution is deployed to all systems in the environment.
  4. Ensure all applications storing sensitive information are protected with MFA.