Robinhood Vulnerability Exploited for Phishing Attacks

Summary

Robinhood confirmed that attackers exploited a vulnerability in its account creation process to launch a phishing campaign. The attackers abused the Gmail 'dot trick' to create new accounts, injected malicious HTML into device name fields, and triggered legitimate-looking phishing emails from Robinhood's own systems that bypassed authentication checks. No systems, customer accounts, or funds were compromised, but the attack demonstrates a sophisticated account creation workflow vulnerability.

Full text

Investing and trading platform Robinhood has confirmed that cybercriminals exploited a vulnerability in its account creation process to send out legitimate-looking phishing emails. Many Robinhood users reported receiving suspicious emails over the weekend and an analysis revealed that they were sent out as part of a phishing campaign. According to the company, the emails came from ‘[email protected]’ and had the subject line ‘Your recent login to Robinhood’. “This phishing attempt was made possible by an abuse of the account creation flow,” Robinhood explained. “It was not a breach of our systems or customer accounts, and personal information and funds were not impacted.” Experts who analyzed the phishing emails said the attackers created new Robinhood accounts using modified versions of existing Gmail addresses via the so-called ‘dot trick’. Specifically, they leveraged the fact that Gmail ignores periods inserted into or removed from a username, whereas Robinhood treats each variation as distinct, allowing the attackers to create a new account that Gmail would point to an existing account. During signup, the attackers injected malicious HTML code containing phishing links into device name fields. Advertisement. Scroll to continue reading. The hackers’ actions triggered legitimate ‘recent login’ notification emails from Robinhood, which rendered the unsanitized HTML and embedded clickable phishing links. The emails passed all authentication checks since they originated from Robinhood’s own systems, making them highly convincing. Robinhood suffered a data breach back in 2021 and the attackers stole millions of names and email addresses. This phishing attack may have leveraged email addresses stolen at the time, or the attackers may have used externally sourced or guessed Gmail addresses. Related: Security Firm Executive Targeted in Sophisticated Phishing Attack Related: Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks Related: Germany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Medtronic Hack Confirmed After ShinyHunters Threatens Data LeakMalicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: GoogleEnergy and Water Management Firm Itron HackedFirefox Vulnerability Allows Tor User FingerprintingLocked Shields 2026: 41 Nations Strengthen Cyber Resilience in World’s Biggest ExerciseVulnerabilities Patched in CrowdStrike, Tenable ProductsChinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude MythosAI Can Autonomously Hack Cloud Systems With Minimal Oversight: Researchers Latest News The Mythos Moment: Enterprises Must Fight Agents with AgentsWebinar Today: A Step-by-Step Approach to AI GovernanceAlleged Chinese State Hacker Extradited to USDozens of Open VSX Extension Clones Linked to GlassWorm MalwareSevii Launches Cyber Swarm Defense to Make Agentic AI Security Costs PredictableElectric Motorcycles and Scooters Face Hacking Risks to Security and Rider SafetyNo Patch for New PhantomRPC Privilege Escalation Technique in WindowsGermany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveNeill Feather has been named Chief Executive Officer at Point Wild.Oasis Security has appointed Michael DeCesare as President.Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Entities