Robinhood said a flaw in its account creation flow was abused to send phishing emails to customers on Sunday evening, with the messages appearing to come from the company’s legitimate address and reaching users with a fake warning about unrecognized devices.
KEY FACTS
- Method attackers injected HTML into account confirmation emails by abusing the onboarding process.
- Delivery the messages came from [email protected] and passed SPF and DKIM checks.
- Content recipients saw a fake login alert with a link to a phishing site that is now offline.
- Impact Robinhood said personal information and funds were not affected.
Threat actors changed device metadata fields to include embedded HTML, which was not properly sanitized. That code was rendered inside the email as a fake “Unrecognized Device Linked to Your Account” notice, followed by a button labeled “Review Activity Now.”
The emails were likely aimed at known customer addresses from earlier data breaches. The report noted that attackers also used Gmail dot aliasing to deliver messages to real recipients while registering variations of those addresses.
Robinhood said the phishing attempt was possible because of abuse of the account creation flow and not because of a breach of its systems or customer accounts. The company said it removed the Device field from account creation emails after the issue was fixed.
WHY IT MATTERS
The case shows how a flaw in an email workflow can make a phishing message look legitimate even when it comes from a trusted sender. Users who received the message were advised to delete it and avoid clicking links.