Skip to main content
Emerging Threats

Robinhood Flaw Exploited to Send Convincing Phishing Emails

Person sitting at laptop with concerned expression, surrounded by home environment, looking at suspicious email on screen.

"We detected a login attempt from a device that is not recognized," read a falsified message that began landing in Robinhood customers' inboxes on Sunday evening, appearing to come from the company's legitimate noreply@robinhood.com address.

The phishing email and the fake review site

Beginning "last night," customers reported receiving emails with the subject line "Your recent login to Robinhood." The messages contained an alarming section claiming an "Unrecognized Device Linked to Your Account," displayed unusual IP addresses and partial phone numbers, and included a prominent "Review Activity Now" button. That button led to a phishing site at robinhood[.]casevaultreview[.]com, which is now down. Screenshots posted on Reddit show the site was likely used to try to harvest Robinhood credentials.

How attackers abused Robinhood's account-creation onboarding flow

BleepingComputer confirmed the technical route the attackers used: when a new Robinhood account is registered, the company automatically sends a "Your recent login to Robinhood" email that contains registration time, IP address, device information, and an approximate location. Threat actors modified the device metadata fields submitted during account creation to include embedded HTML. Because Robinhood did not properly sanitize that input, the HTML was injected into the Device: field of the account confirmation email and rendered as a fake warning about unrecognized activity.

Why the emails passed security checks and looked legitimate

What made this campaign especially convincing was that the messages were delivered from the legitimate noreply@robinhood.com address and passed SPF and DKIM email security checks. Attackers also increased their chances of reaching intended targets by exploiting Gmail's dot aliasing behavior—adding periods to an address without changing its destination—allowing them to register accounts using variations of real email addresses while still delivering the messages to the legitimate inbox owners.

Robinhood's response and remediation

Robinhood confirmed the incident in a statement posted to X, saying: "On Sunday evening, some customers received a falsified email from noreply@robinhood.com with the subject line 'Your recent login to Robinhood.' This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted." BleepingComputer verified that Robinhood has fixed the flaw by removing the Device: field that was previously abused from their account creation emails. The company advises users who received the message to delete it and avoid clicking any links.

What this means for technologists, end users, and adversaries

  • Technologists and security teams: The incident illustrates a concrete failure mode in onboarding pipelines — unsanitized device metadata rendered inside an email template. The immediate remediation was to remove the Device: field from account-creation emails, a change BleepingComputer confirmed Robinhood implemented.
  • End users and the general public: Recipients were advised by Robinhood to delete the falsified email and avoid clicking links. The campaign depended on preexisting lists of email addresses; the source notes that Robinhood's November 2021 data breach—impacting 7 million customers and later offered for sale on a hacking forum—likely provided fodder for targeting.
  • Adversaries and threat actors: Attackers combined several simple techniques—HTML injection into device metadata, reuse of breached address lists, and Gmail dot-aliasing—to convert a legitimate automated notification into a delivery mechanism for credential phishing. The phishing landing site identified in early reporting is now offline, but the chain of methods used shows how multiple small weaknesses can be chained together.

The immediate technical fix removed the abused field from automated messages and the apparent malicious site has been taken down, and Robinhood states customer accounts and funds were not accessed. Still, the episode is a pointed reminder: automated transactional messages that include user-supplied metadata must be carefully sanitized, and attackers will exploit small weaknesses in onboarding flows to weaponize trusted senders.

Original reporting: BleepingComputer — Robinhood account creation flaw abused to send phishing emails