Breaking news in the tech world shows that investment app Robinhood has been storing some user credentials in plain text without proper hash encryption.
Experts often explain that in the world of financial data, companies store user information that’s sensitive in encrypted systems with hash keys and other tools, so that if hackers access the data, they don’t have the unencrypted identifiers such as passwords and credit card numbers.
Today, Techcrunch and other venues are reporting a notice sent out by Robinhood that indicates there were user credentials being stored in plain text.
“This particularly dangerous security misstep could have seriously exposed its users, though it says that it has no evidence the data was accessed improperly. Better change your password now,” wrote TechCrunch reporter Devin Coldewey. “Sensitive data like passwords and personal information are generally kept encrypted at all times. That way if the worst came to pass and a company’s databases were exposed, all the attacker would get is a bunch of gibberish. Unfortunately it seems that there might have been a few exceptions to that rule.”
The Robinhood response clarified that there was no evidence that anyone accessed those identifiers without authorization. Robinhood has also taken steps to change the storage strategy and once users to update their passwords.
The nature of the Robinhood warning shows how careful companies are in the financial industry.
Some users would assume that if no hackers accessed data through internal systems, there’s no problem.
However, it has become standard to always keep data in encrypted formats, just in case of a data breach or other similar fiasco.
These redundant strategies help to prevent rampant cybercrime and the abuse of consumer information where it would occur.
As for liability, Robinhood seems to be weathering the media storm, although its name is tied to security missteps that might make many users nervous. However, Robinhood is by no means the only company that has been found to have practiced this type of transgression.
“Storing passwords in cleartext is a huge security blunder; however, Robinhood is in ‘good company,’” writes Catalin Cimpanu at ZDNet. “This year alone, Facebook, Instagram, and Google have all admitted to storing users passwords in cleartext.”
There’s a moral to this story: users and advocates have to keep tabs on corporate data storage practices, even as we take steps to create “strong passwords” for our sensitive data.
