The Robinhood stock trading site is alerting users that passwords were stored in their system in human readable format, otherwise known as clear text. While no foul play was detected, this could have allowed employees or unauthorized users to view an account's password.
Any site that stores passwords should only do so in an encrypted manner and not store them in a clear text format. If stored in clear text, the passwords are insecure as employees could potentially see an account's passwords and attackers could access them in the event of a breach.
In an email shared with BleepingComputer, Robinhood is alerting affected users that "an issue" caused their passwords to be stored in a clear text. This issue was discovered Monday night and has since been resolved, but Robinhood is suggesting users reset their passwords to be safe.
Instead of automatically resetting the passwords for affected users, Robinhood has opted to send the above email to affected users and let them decide if they should reset it. As this is a financial services company with money at risk if someone breaches your account, it is strongly suggested that everyone reset their passwords.
The full text of email can be read below:
When you set a password for your Robinhood account, we use an industry-standard process that prevents anyone at our company from reading it. On Monday night, we discovered that some user credentials were stored in a readable format within our internal systems. We wanted to let you know that your Robinhood password may have been included. We resolve this issue, and after thorough review, found no evidence that this information was accessed by anyone outside of our response team. Out of an abundance of caution, we still recommend that you change your Robinhood password. We take matters like this seriously. Earning and maintaining your trust is our top priority, and we're committed to protection your information. Let us know if you have any questions - we're here to help. Sincerely, The Robinhood Team
Robinhood has told BleepingComputer that a forced password reset was not performed as there was no evidence that they were accessed outside of their response team. They further reiterated that this issue only affected a portion of their user base, but are not providing the total amount of affected users.
“We swiftly resolved this information logging issue. After a thorough review, we found no evidence that this customer information was accessed by anyone outside of our response team. Out of an abundance of caution, we have notified customers who may have been impacted and encouraged them to reset their passwords. We take our responsibility to customers seriously and place an immense focus on working to ensure their information is secure.”
Based on the statement it appears that these passwords were erroneously being stored in a log rather than not being properly stored in their account profile.
Thx to arpbadger for the tip