Robinhood admits to storing user passwords in plaintext

25 Jul 2019

Image: © bnenin/Stock.adobe.com

Robinhood said it has resolved a security issue but advised users to change their passwords out of ‘an abundance of caution’.

Earlier this week, California-based stock trading start-up Robinhood made headlines after its latest funding round brought it to an estimated valuation of $7.6bn.

Robinhood allows individuals to invest in public companies and exchange-traded funds listed on the US stock exchanges without paying a commission. Last year, the company’s CEO had been discussing plans to go public.

However, on Wednesday (24 July), after a short period basking in the success of raising $323m in Series E financing, Robinhood sent an email to alert users of a potential issue.

In the email, which was seen by ZDNet, the company said: “On Monday night, we discovered that some user credentials were stored in a readable format within our internal systems. We wanted to let you know that your Robinhood password may have been included.”

The email went on to say that the issue has since been resolved. “After thorough review, we found no evidence that this information was accessed by anyone outside of our response team. Out of an abundance of caution, we still recommend that you change your Robinhood password,” the company said.

“Earning and maintaining your trust is our top priority, and we’re committed to protecting your information.”

A spokesperson for the company would not reveal the exact number of affected users to ZDNet, but confirmed that this slip-up did not affect the entire user base.

Password security

As pointed out by ZDNet, this year alone, Facebook, Instagram and Google have all admitted to storing passwords in cleartext. Last year, Twitter and Github made similar admissions.

Passwords are typically – or at least supposed to be – hashed or encrypted when they are stored on a company’s database. This prevents attackers who gain access to a database from knowing what a user’s password is at a glance.

As TechCrunch explained: “That way if the worst came to pass and a company’s databases were exposed, all the attacker would get is a bunch of gibberish.”

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com