If you're a Robinhood trading platform investor and got an email Sunday night warning about an unrecognized device on your account, don't click anything – it was a phishing attack, and Robinhood's own systems sent it. BleepingComputer reports that hackers found a flaw in Robinhood's account-creation process that allowed them to inject fake warnings into real Robinhood emails. The messages came from the legitimate Robinhood address, noreply@robinhood.com, and passed standard email security checks – meaning your inbox had no way to flag them as suspicious.
From there, they exploited a quirk in how Gmail and Robinhood handle email addresses differently. Gmail ignores periods in usernames – "johndoe@gmail.com" and "john.doe@gmail.com" land in the same inbox – but Robinhood treats each variation as a unique account. That gap let attackers register fresh Robinhood accounts using slightly altered versions of real customers' addresses, which automatically triggered Robinhood's own confirmation email system to send a message directly to the intended victim.
This set the stage for the real manipulation. Robinhood's signup confirmation emails include a device name field populated with whatever information is captured from the registering user – and Robinhood wasn't screening that input for malicious code. Attackers modified their device metadata to include HTML instead of a device name, code that was designed to render inside the email as an urgent security alert with a link to the attacker's phishing site.
When Robinhood sent what should have been a routine account confirmation, Gmail routed it to the real customer's inbox. Instead of a standard signup notice, recipients saw a fake warning about an unrecognized device on their account – and a button urging them to act immediately. Those who clicked landed on a site built to steal their Robinhood login credentials.
Robinhood confirmed the attack on X, calling it an "abuse of the account creation flow" and stressing that no systems were breached and no customer funds were touched. The company has since removed the vulnerable device field from its signup emails and says the phishing site is now offline.
If you got the email, delete it. If you clicked the link and entered your login information, change your password immediately and enable two-factor authentication (2FA) on your account. And this latest scam is a reminder to check all of your other critical accounts to ensure 2FA is enabled.
[Image credit: Suzanne Kantra/Techlicious via ChatGpt]
