A phishing campaign exploited a glitch in Robinhood’s account creation process to send phishing emails from the investment platform’s own systems, SecurityWeek reports.

“On Sunday evening, some customers received a falsified email from noreply@robinhood.com with the subject line ‘Your recent login to Robinhood,’” Robinhood said in a statement. “This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted. If you received this email, please delete it and do not click any suspicious links. If you have clicked a suspicious link or have any questions about your account, please contact us directly within the Robinhood app or website.”

According to SecurityWeek, the attackers took advantage of the fact that Gmail addresses ignore periods placed within the email username before the “@” symbol. If a third-party service allows users to create accounts using a Gmail address, the process needs to take this into consideration. Otherwise, as in the case of Robinhood, attackers can create multiple accounts using the same Gmail address.

SecurityWeek explains, “Specifically, they leveraged the fact that Gmail ignores periods inserted into or removed from a username, whereas Robinhood treats each variation as distinct, allowing the attackers to create a new account that Gmail would point to an existing account. During signup, the attackers injected malicious HTML code containing phishing links into device name fields. The hackers’ actions triggered legitimate ‘recent login’ notification emails from Robinhood, which rendered the unsanitized HTML and embedded clickable phishing links.”

SecurityWeek has the story: Robinhood Vulnerability Exploited for Phishing Attacks