Robinhood stored user passwords in plain text

High-flying stock trading fintech Robinhood has warned users to change their passwords after revealing that it stored the sensitive data in plain text, rather than an encrypted format, in its internal systems.

  5 16 comments

Robinhood stored user passwords in plain text

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Users were made aware of the security mishap in a company email: “On Monday night, we discovered that some user credentials were stored in a readable format within our internal systems."

The firm goes on to say that the issue has been resolved and that it has found no evidence that the information was accessed by anyone outside its "response team".

The security blunder comes just days after Robinhood raised a massive $323 million round of financing, and amid a growing call for improved security at tech firms following recent privacy breaches at Facebook and Equifax.

The company has refused to disclose how many customers were impacted by the issue, nor how it came to make such a rooky error.

Sponsored [New Impact Study] Catering to a new generation though unified card programmes

Related Company

Comments: (16)

Russell Bell

Russell Bell Director at Fastbase Ltd

Surprising they would feel the need to admit such an embarrassing fact to their customers if they're certain the plaintext passwords weren't circulated outside the response team.  Perhaps they're not certain.

Amarendra Sinha

Amarendra Sinha Project Manager at Infosys

How could this be ensured that the plaintext password was not misused. 

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

"When it says PCI-DSS on the outside, customers don't care whether the password is encrypted or stored in cleartext on the inside"*. That's the case with more critical apps like mobile wallets as I'd highlighted in the case of PayTM in Why Do People Obsess Over Security And Then Make Payments Without A Password?. I'm sure customers are even less bothered about such details in the case of a less critical app like RobinHood. 

*: Adapted from the mid 1990s ad by the then popular Compaq PC, which took a dig on the then popular "Intel Inside" campaign by proclaiming, "When it says Compaq on the outside, nobody cares what's on the inside", in an attempt to comfort customers about its use of CPUs inside its PCs from Intel's competitor AMD. 

Russell Bell

Russell Bell Director at Fastbase Ltd

Critical is in the eye of the beholder, I expect some Robinhood customers weren't too impressed.  These days encrypting customers passwords is about as optional as is putting your pants on before you go out in public.

Andrew Smith

Andrew Smith Founding CTO at RTGS & ClearBank

This just shows that the tech platform under-the-covers is seriously lacking. Why on earth would you ever be able to accidentaly stored passwords in clear text? This means they more than likely use some proprietary system for security and identity, and all this worries me. It wouldnt surprise if they now just "hash" the passwords :(

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Yes, critical is in the eye of the beholder, of course.

Let's take the recent Capital One hack and how critical it was for one its beholders - er, cardholders. 

QUOTE (per Fortune DataSheet dated 3 Aug 2019)

As a few friends and I were settling a dinner bill last night, I noticed a Capital One credit card peeking out amid a table-full of taco scraps and emptied margarita glasses.

"Uh, oh," I remarked. “Who’s got the Capital One card? Are you pissed?"

The owner revealed himself, yet he was oblivious to the week’s news. I informed him: A hacker had gotten her hands on personal information for more than 100 million of the bank's customers and credit card applicants. The suspect, a former Amazon Web Services employee, per court documents, stole people's names and addresses, 140,000 Social Security numbers, 80,000 bank account numbers, and one million Canadian social insurance numbers (like Social Security numbers, but Canadian).

My friend had no idea.

ENDQUOTE

So much for critical to beholder.

Russell Bell

Russell Bell Director at Fastbase Ltd

Ignorance is bliss, perception is reality ?  Banking customers are certainly encouraged to relax and to assume the bank will pick up the tab in the event of identity fraud or account takeover.  But the customers do pay for such protection, albeit in a rather opaque and indirect manner that they're not particularly aware of.  So who cares ?  The banks and their customers are indeed rather complacent about all this.

Fraud increases year on year as face-to-face banking shrinks and digital grows; the costs grow apace. The indirect costs of fraud prevention & remedy are labour-intensive and favour large institutions, the economies of scale discourage smaller bank competitors.  The costs are socialised, honest players pay for the sins of the guilty.  The large banks certainly don't want to get off this treadmill; rather, they would much prefer their competitors are forced on to it too.  But the move to digital also diminishes the status banks have traditionally held; when people see the emperor has no clothes, gaps in the market open.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

When customers don't notice public announcements of major breaches at their financial institutions, who the heck is going to bother about opaque and indirect costs?

Besides, anybody can claim there's opaque cost in anything and, by definition, those claims can't be contested by anybody else. By becoming overzealous about fraud prevention, merchants lose sales and I claim that that adds hidden costs to banks, which they will pass on to customers, so I recommend that banks should continue with the status quo of covering customers for fraud-related losses without putting too much friction in the way of making the transaction happen.

I haven't seen any evidence that fraud as a percentage of transaction values has increased, but, for the sake of argument, even if it has, so what. It could be argued that that's the cost of doing business in today's digital world. End of the day, a bank can keep jumping up and down to prevent all the fraud it wants but that won't keep its lights on. Mitigating Fraud Does Not Pay The Bills 

Russell Bell

Russell Bell Director at Fastbase Ltd

By opaque I simply mean beneath the radar of most of us most of the time, not mysteriously-unknowable.

For those markets where margins on sales are customarily high, merchants are indeed willing to cover a certain level of fraud, because they can allow for such losses in their prices.

But in many price-sensitive markets, margins are necessarily low; merchants are unwilling to raise prices to cover losses due to fraud, and they don't want to be forced to use payment mechanisms that leave them with a high risk of chargebacks.  They want payment mechanisms that offer certainty.

Merchants want to have a choice.  They don't want to be forced to accept high levels of fraud as something inevitable, unavoidable.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

In 2011, I wondered Do Retailers Want To Have Their Cake And Eat It Too?. Eight years later, I'm convinced they're not only greedy but incompetent and crybabies.

Every second store I visit, there are stockouts, salespeople are busy with their smartphones, the one-odd salesperson who deigns to attend to customers has less product knowledge than customers, etc. Retailers seriously need to get their internal act together instead of constantly crying about the adverse impact of external factors like payment processing costs, ecommerce, etc.

In any case, who is forcing retailers to accept whatever payment mode with whatever level of fraud and chargeback? Retailers are free to offer whatever payment modes they want. Nobody stops them from even inventing their own payment method. Oh wait, that's what they tried with MCX / CurrentC. They should ask themselves why that movie ended badly. 

Russell Bell

Russell Bell Director at Fastbase Ltd

You'll find a few retailers like that; indifferent to the wants of their customers, complacent.  Even to the extent they employ representives willing to present a shamelessly arrogant and condescending front to the business's customers.  Usually these are the outfits that face so little competition in their market segment they don't feel the need to bother to compete on either price or quality of service.

But this isn't true of those great many retail businesses thas do face competition; they treat their customers with respect, listen to them,  deliver products & services the customers want, and are constantly on the lookout to partner with up-stream suppliers with the same attitude.

Unluckily for them, the largest suppliers of payment services tend to fit the former description; monopolistic in character, vigilent maintainers of the formidable barriers-to-entry of the payment industry.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

In the USA, there are more than 6000 banks and fewer than 100 retailers (if that). So neither banking nor retail industry is a monopoly. I don’t know what “monopolistic behavior” means but, whatever it does, if it can be exhibited by banking industry with 6000 competitors, then what’s stopping the retail industry, which has fewer than 100 players, from exhibiting it and ensuring that it makes enough money to cover fraud and chargeback costs, instead of forever crying about costs of doing business? IMHO, “monopolistic behavior of banking” is just one more bogeyman – apart from high payment processing costs – used by retail industry to bark up the wrong tree and avoid fixing internal problems hampering its revenues and profits.

Russell Bell

Russell Bell Director at Fastbase Ltd

Maybe fewer than a hundred large chain stores but countless small companies.  For every Walmart or Costco there's tens of thousands of small retailers.  Even the smallest want to sell via the internet.  They want payment services trusted by customers on the other side of the world.  Only a handful of institutions offer payment services with a global reach, for example PayPal, Alipay and the credit card companies.

A common symptom of monopoly behaviour is an arrogant attitude towards customers - a patronising "we know what's best for you".  An identifying characteristic, because if customers had any choice naturally they wouldn't put up with such treatment.

Some retailers exhibit monopolistic behaviour, but unless their market is heavily regulated the means at their disposal are limited to exploiting economies of scale and ownership of their brand & intellectual property.  A partial monopoly at most, they can't dominate their market completely.  Apple is an example.

You can measure the health of a market by asking: how much choice do customers have ?  Few markets these days are "pure" monopolies, i.e. controlled by a single supplier.  But many are dominated by a small number of suppliers offering products/services that are nearly identical to each other for prices and on terms nearly identical.  This is called oligopoly; a market with the superficial appearance of competition but no real choice.

Heavily regulated industries such as banking are natural breeding grounds for monopolistic behaviour.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Oh, arrogance. Yeah right. Terribly monopolistic. Retailers should sue banks for monopolistic behavior, then.

On a side note, "products/services that are nearly identical to each other" is the textbook definition of commodity, whose purveyors are destined to go on a race to the bottom with lower and lower prices. If that's what banking is, retailers should rejoice. 

Russell Bell

Russell Bell Director at Fastbase Ltd

In competitive markets suppliers differentiate their offering one way or another.  If the product itself cannot be differentiated (i.e. it's a fungible commodity) suppliers compete on price; or if external factors limit price flexibility they find other ways to differentiate; discount or rebate structures to work around pricing restrictions; payment terms, trade-credit offered; carriage terms, coverage of goods-in-transit risk; terms for return-of-goods; help with regulatory compliance requirements; administrative options such as EDI purchase orders & invoices & credits etc.  At the retail level rewards/loyalty-points schemes are increasingly important.

Suppliers in competitive markets constantly ask their customers which terms are important to them, and adapt their offerings accordingly; over the years some become less important and new factors become important.

When the offerings from all suppliers are identical not just in respect of the nature of the product, but also in respect of pricing and other important terms, that's not a competitive market.

That's a common-sense view, but regulators see things differently; breaches of competition law are very difficult to prove except in the most egrerious cases.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

That’s services mindset. Rigidity - and the perceived arrogance that comes with it - are best practices in product business. It happens even in highly competitive industries and has nothing to do with monopoly / oligopoly. Every Tom Dick & Harry who doesn’t get a discount will have a common sense view of facing a monopoly, which is rubbish. "Abuse of monopoly" is necessarily a legal construct.

I can elaborate but this discussion has veered way far off course from the original topic. I’ll be happy to continue it offline.

[Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming MandatesFinextra Promoted[Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates