Robinhood Phishing Attack Exploits Account Creation Flaw to Send Convincing Emails
Robinhood confirmed that cybercriminals exploited a vulnerability in its account creation process to distribute phishing emails to users over the weekend. The emails, sent from a legitimate Robinhood address ([email protected]) with the subject line “Your recent login to Robinhood,” appeared authentic due to their origin from the company’s own systems.
The attackers abused a flaw in Robinhood’s signup flow, creating new accounts using modified Gmail addresses via the “dot trick” a method where Gmail ignores periods in usernames, while Robinhood treats each variation as a unique account. During registration, the hackers injected malicious HTML code into device name fields, which triggered legitimate login notification emails containing embedded phishing links.
Despite passing authentication checks, the emails rendered unsanitized HTML, making the phishing links clickable. Robinhood clarified that no customer data or funds were compromised, as the attack did not involve a system breach. However, the incident may have leveraged email addresses stolen in a 2021 data breach or externally sourced Gmail accounts.
Security experts noted the sophistication of the campaign, which relied on legitimate system-generated notifications to deceive users. The attack highlights the risks of unsanitized input fields in authentication flows.
Source: https://www.securityweek.com/robinhood-vulnerability-exploited-for-phishing-attacks/
Robinhood cybersecurity rating report: https://www.rankiteo.com/company/robinhood
"id": "ROB1777389843",
"linkid": "robinhood",
"type": "Vulnerability",
"date": "4/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Users who received phishing '
'emails',
'industry': 'Fintech',
'name': 'Robinhood',
'type': 'Financial Services'}],
'attack_vector': 'Account Creation Flaw (Unsanitized Input in Device Name '
'Field)',
'customer_advisories': 'Users advised to be cautious of phishing emails, even '
'if sent from legitimate domains',
'data_breach': {'data_exfiltration': 'No data exfiltration (phishing emails '
'only)',
'personally_identifiable_information': 'Potential use of '
'email addresses from '
'2021 breach or '
'externally sourced '
'Gmail accounts'},
'description': 'Robinhood confirmed that cybercriminals exploited a '
'vulnerability in its account creation process to distribute '
'phishing emails to users over the weekend. The emails, sent '
'from a legitimate Robinhood address (*@email.robinhood.com) '
"with the subject line 'Your recent login to Robinhood,' "
'appeared authentic due to their origin from the company’s own '
'systems. The attackers abused a flaw in Robinhood’s signup '
'flow, creating new accounts using modified Gmail addresses '
"via the 'dot trick,' a method where Gmail ignores periods in "
'usernames, while Robinhood treats each variation as a unique '
'account. During registration, the hackers injected malicious '
'HTML code into device name fields, which triggered legitimate '
'login notification emails containing embedded phishing links. '
'Despite passing authentication checks, the emails rendered '
'unsanitized HTML, making the phishing links clickable. '
'Robinhood clarified that no customer data or funds were '
'compromised, as the attack did not involve a system breach. '
'However, the incident may have leveraged email addresses '
'stolen in a 2021 data breach or externally sourced Gmail '
'accounts.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'phishing emails sent from legitimate '
'domain',
'data_compromised': 'No customer data or funds compromised '
'(phishing emails only)',
'identity_theft_risk': 'Increased risk for users who clicked '
'phishing links',
'systems_affected': "Robinhood's account creation and email "
'notification systems'},
'initial_access_broker': {'entry_point': "Account creation flaw (Gmail 'dot "
"trick')"},
'lessons_learned': 'Risks of unsanitized input fields in authentication flows '
'and the sophistication of phishing campaigns using '
'legitimate system-generated notifications',
'post_incident_analysis': {'root_causes': 'Unsanitized HTML input in device '
'name fields during account '
"creation, combined with Gmail's "
"'dot trick' to create multiple "
'accounts'},
'recommendations': 'Sanitize input fields in account creation processes, '
'implement stricter validation for device names, and '
'monitor for unusual account creation patterns',
'references': [{'source': 'Robinhood Public Statement'}],
'response': {'communication_strategy': 'Public disclosure and clarification '
'that no breach occurred'},
'title': 'Robinhood Phishing Attack Exploits Account Creation Flaw to Send '
'Convincing Emails',
'type': 'Phishing Attack',
'vulnerability_exploited': "Gmail 'dot trick' combined with unsanitized HTML "
"input in Robinhood's signup flow"}