Submitted via IRC for Bytram
Stock Trading Firm Robinhood Stored User Passwords in Plaintext
Robinhood, a California-based financial services company that provides a popular commission-free stock trading app, informed some users that their passwords were stored in plaintext.
"When you set a password for your Robinhood account, we use an industry-standard process that prevents anyone at our company from reading it. On Monday night, we discovered that some user credentials were stored in a readable format within our internal systems. We wanted to let you know that your Robinhood password may have been included," the company told impacted customers.
Robinhood says it has addressed the issue and claims to have found no evidence that the exposed passwords have been accessed by anyone outside its response team. However, "out of an abundance of caution," impacted users have been advised to change their passwords.
The company has not shared any technical details on the incident and it has refused to disclose the exact number of impacted users.
The financial services firm discovered the password issue on the same day it raised $323 million. The latest funding round valued the company at $7.6 billion.
(Score: 2) by bzipitidoo on Friday July 26 2019, @12:34PM (4 children)
Billions in value, and apparently too cheap to spend enough to hire a competent IT security team. Or they hamstrung their team with stupid requirements-- that sometimes happens.
But plaintext passwords? That's like not putting on pants before going outside. These days, you have to work at it to get a system to store passwords in plaintext. That has not been an option for, I don't know, at least 25 years. What did they do, buy 1980s computer systems from a flea market?
In fact, it's so unbelievable, I wonder if someone did this intentionally. All these rich people, maybe they reuse passwords too ... and this firm named themselves Robinhood, hmmm.
(Score: 2) by acid andy on Friday July 26 2019, @01:07PM (1 child)
I wondered if it was some crappy newbie dev that put in code to grab the passwords as some kind of idiotically naive debugging / diagnostic function. For that to be in place on a live system though, is even more horrifying. Maybe those customers described a problem with the system and the n00b grabbed their passwords to try and log in as them to reproduce it. Like you say, malicious intent is quite likely too.
If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
(Score: 2) by acid andy on Friday July 26 2019, @01:10PM
For what I said to work though, they'd have to ask the customer to change their password, assuming their logger wasn't already in place.
If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
(Score: 2) by DannyB on Friday July 26 2019, @01:52PM (1 child)
Passwords can be protected by two very secure forms of encryption.
1. ROT13
2. EBCDIC
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Friday July 26 2019, @10:38PM
But only ROT13 can be converted back to plaintext without paying a royalty to IBM.