Robinhood Markets on Monday afternoon disclosed an unauthorized party obtained access to personal information for nearly one-quarter of the company’s nearly 20 million users, marking one of the biggest security breaches ever for the popular online brokerage.
In a blog post late Monday afternoon, Robinhood said an unauthorized third party “socially engineered” a customer support employee by phone on the evening of November 3 and obtained access to customer support systems.
The Menlo Park, Calif.-based trading firm did not provide additional details about how the intruder manipulated its customer support employee but said it believes the person obtained a list of email addresses for approximately 5 million people and the full names of roughly 2 million people.
About 310 people had additional personal information—including names, dates of birth and zip codes—exposed in the breach, while about 10 customers had “more extensive account details revealed,” Robinhood said.
Robinhood, which did not immediately respond to Forbes’ request for comment, also said the unauthorized party demanded an extortion payment after the brokerage contained the intrusion and that it “promptly” informed law enforcement after the incident.
The company said it’s in the process of notifying affected customers and that it believes no Social Security numbers, bank account numbers, or debit card numbers were exposed.
Shares of Robinhood fell as much as 3% to $37 in after-hours trading, reversing a 2.6% increase on Monday.
Though the security breach on Wednesday marks one of Robinhood’s largest ever, it’s certainly not the first. Hackers reportedly infiltrated nearly 2,000 accounts and siphoned off customer funds in a breach last October. At the time, a spokesperson said the cybercriminals targeted users whose personal email addresses had been compromised outside of Robinhood and therefore did not stem from a beach of its internal systems.