Stock Trading Service Robinhood Admits To Storing Some Passwords in Cleartext (zdnet.com) 30
Stock trading service Robinhood has admitted this week to storing some customers' passwords in cleartext, according to emails the company has been sending to impacted customers. From a report: "On Monday night, we discovered that some user credentials were stored in a readable format within our internal system," the company said. "We resolved the issue, and after thorough review, found no evidence that this information was accessed by anyone outside our response team." Robinhood is now resetting passwords out of an abundance of caution, despite not finding any evidence of abuse. A company spokesperson told ZDNet via phone call that not all Robinhood users were impacted, but could not reveal the exact number.
oh come on... (Score:4, Interesting)
Re: (Score:2)
why would I trust anyone who keeps stock trading customers' passwords in cleartext to be able to detect likely abuse ?
This is an odd disclosure because it does not seem to be legally required if there has not been a breach. Which leads me to believe there has either been a breach of indeterminate scope or a recently discovered security hole and they do not know if data was accessed before it was closed. The second seems more likely to me.
At any rate, it is not a good look.
Re: (Score:2)
why would I trust anyone who keeps stock trading customers' passwords in cleartext to be able to detect likely abuse ?
This is an odd disclosure because it does not seem to be legally required if there has not been a breach. Which leads me to believe there has either been a breach of indeterminate scope or a recently discovered security hole and they do not know if data was accessed before it was closed. The second seems more likely to me. At any rate, it is not a good look.
Erg, now that I read the full summary... They had to reset passwords to implement the correct security policy. This is probably to keep people from assuming there was a compromise when rumors of mass password resets circulate. It's plausible.
Re: (Score:2)
why would I trust anyone who keeps stock trading customers' passwords in cleartext to be able to detect likely abuse ?
You should trust them because they voluntarily self-reported the problem, which means they cared enough about security to check, and were honest enough to publicly disclose it.
What other company has done that?
The problem has been fixed, honest and competent people are in charge, and the person who made the mistake has been educated.
Okie Dokie (Score:4, Funny)
Well, while STOOPID on the part of Robinhood, I'm glad they fessed up and sent me an email about it.
What did I do? I use a password manager as it is so:
1. Changed my Robinhood password.
2. Notices Robinhood had 2FA, added that.
3. Changed by linked bank account passwords for good measure.
As they note, they don't store bank passwords. Anyhow, done. Moving on...
Re: (Score:2)
Well, while STOOPID on the part of Robinhood, I'm glad they fessed up and sent me an email about it.
I speculated elsewhere that the reason they fessed up is because implementing the correction requires users to reset their passwords (to get the plaintext passwords out of circulation). If enough users are asked to update their passwords, then word gets out. With no other alternative explanation provided, people will assume there was a breach.
But why? (Score:2)
Making it easier to rob from the rich and give to the poor?
Dear Startups, (Score:2)
Please stop hiring incompetent novice coders to build your security systems.
You're welcome.
Re: (Score:2)
I met their security team in 2017 - a bunch of smug attitudes from a group of folks that don't know half what they think they do. Run, do not walk from this company. It's a ticking time bomb from my perspective.
Re: (Score:2)
a bunch of smug attitudes from a group of folks that don't know half what they think they do.
Exactly what I would expect from morons who store their passwords in clear text...
This is criminally negligent (Score:2)
And it is high time to call it that. It has been known for decades that this is something that you must not do. Anybody doing it has not even done minimal research on how to do this right.