Robinhood customers were targeted in a phishing campaign after attackers abused the company’s account creation process to insert fake security warnings into legitimate emails.
The scam made messages appear real because they were sent from Robinhood’s official noreply@robinhood.com address.
Users began receiving emails titled “Your recent login to Robinhood” claiming an unrecognized device had been linked to their account. The message warned of suspicious activity and urged users to click a “Review Activity Now” button.
That button reportedly redirected victims to a phishing website designed to steal Robinhood login credentials. What made the scam highly convincing was that the emails passed SPF and DKIM security checks, meaning they looked authentic to most inbox providers.
According to reports, attackers exploited a flaw in Robinhood’s onboarding system by injecting malicious HTML code into device metadata fields during account registration. Robinhood allegedly failed to properly sanitize the input, allowing the fake warning to appear inside real account confirmation emails.
The phishing content was displayed in the device section of the message, making it seem like a normal security alert. Attackers also reportedly used Gmail dot aliasing, where adding periods to an email address still routes mail to the same inbox, helping them target real users.
Robinhood confirmed the incident in a statement posted on X. The company said the attack involved abuse of the account creation flow and was not caused by a breach of internal systems or customer accounts. It added that personal data and customer funds were not affected.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Robinhood has since fixed the issue by removing the device field from these emails. The company is advising users who received the suspicious message to delete it immediately and avoid clicking any links.
