Just received this email from Robinhood (https://robinhood.com/):<p>"When you set a password for your Robinhood account, we use an industry-standard process that prevents anyone at our company from reading it. On Monday night, we discovered that some user credentials were stored in a readable format within our internal systems. We wanted to let you know that your Robinhood password may have been included.<p>We resolved this issue, and after thorough review, found no evidence that this information was accessed by anyone outside of our response team. Out of an abundance of caution, we still recommend that you change your Robinhood password.<p>We take matters like this seriously. Earning and maintaining your trust is our top priority, and we’re committed to protecting your information. Let us know if you have any questions–we’re here to help.<p>Sincerely,<p>The Robinhood Team"<p>If you've used Robinhood in the past, it's a good idea to check your emails!
This doesn't mean they were stored in a database. "a readable format within our internal systems" could be log files if they didn't scrub passwords when logging requests.
This is yet another reminder: Do Not Reuse Passwords. There’s good password management even for mobile operating systems these days. I’m using Bitwarden on iOS, and it integrates well both with native apps and webpages.<p>Also, use two factor authentication, of course. If you are going the U2F route, I highly recommend having a permanent key for each computer and a bluetooth+NFC key for on-the-go. It’s a worthwhile investment.<p>My biggest problem today is that it is tedious to generate and save new passwords on mobile, which is increasingly where I do so... but security always comes with some costs, I suppose.
Similar things have happened to Facebook <i>and</i> Google recently, the two companies that people keep repeating have the best security teams in the world. As long as humans are involved in programming - something that will likely be the case for the foreseeable future - these things will happen. But props to them for owning up about it and promptly mailing users pro-actively.
Not surprised, considering their security practices... see <a href="https://news.ycombinator.com/item?id=15679099" rel="nofollow">https://news.ycombinator.com/item?id=15679099</a>
If you ever run a service, make sure you're not storing nginx logs with the contents of POST requests. A few years later you'll realize you "stored passwords in plaintext"<p>I assume this is what happened here, but maybe Robinhood will elaborate at some point.
The fact that they prompt you for your literal bank password when funding your account says everything you need to know about how they look at security.
Man, I would spend time masking sensitive data in a shop with no traffic, but someone like Robinhood or Facebook can get away with it. They don't sweat the small stuff, do they?
> "we ... recommend that you change your Robinhood password"<p>This should really be a forced reset. Not finding evidence that it was accessed isn't proof that it wasn't.
So they probably have a request logger that logs request headers, and they accidently were logging credentials from those headers is probably what happened. This has hit basically every large web service at some point. Crazy this never came up in an earlier internal security audit, but not surprising it occurred in the first place.
I got an email this morning that my hulu had been logged into... my hulu and my robinhood did in fact share a password. I have no evidence that these are connected, but better safe than sorry. (And I do use 1password now, I just didn't back when I used robinhood and hulu).
"found no evidence that this information was accessed by anyone outside of our response team. Out of an abundance of caution, we still recommend that you change your Robinhood password."<p>That is complete bullshiting pr spin and I'm greatly concerned about my account.<p>Gee wiz I wonder if anyone on the response team could have done something. Or a dev with nefarious purposes like guy that rigged the lottery multiple times.
It's hard to believe a financial services company would store passwords in plain text out of stupidity. Could this be a legal strategy to avoid responsibility in some scenario?
I smell weapons grade bullshit.<p>>On Monday night, we discovered<p>Because one casually does security audits on a Monday night and then releases a "nothing has come to our attention" statement?<p>The one is proactive (on a monday night?) the other speaks of a response to an external actor. Which is it?<p>The mere fact that a release like this happened suggests some sort of legal/SEC/accounting requirement was triggered. i.e. Something happened.