Threat actors exploited an HTML injection vulnerability in Robinhood's account creation process to send phishing emails that appeared as legitimate login alerts from the company's official address. The flaw allowed attackers to manipulate the content of account confirmation emails, directing recipients to a credential-harvesting site. Robinhood has remediated the issue by removing the abused field from their email templates and advises users to delete any suspicious messages.
Phishing , Email security Robinhood account creation flaw exploited for phishing emails April 28, 2026 Share By SC Staff As reported by Bleeping Computer, threat actors exploited Robinhood's account creation process to send convincing phishing emails to users, making them believe their accounts were compromised. Attackers abused a flaw in Robinhood's onboarding process, allowing them to inject HTML into account confirmation emails. This manipulated the emails to appear as legitimate login alerts, warning of unrecognized device activity. The phishing emails originated from Robinhood's official [email protected] address and passed security checks, making them highly deceptive. The emails directed users to a now-defunct phishing site, likely intended to steal credentials. Attackers may have used customer email lists from a previous 2021 data breach and Gmail's dot aliasing to target users. Robinhood confirmed the incident, stating it was an abuse of the account creation flow and not a breach of customer accounts or personal information. The company has since fixed the vulnerability by removing the abused field from their emails and advises users to delete any suspicious messages. Source: Bleeping Computer SC Staff Related Phishing Canadian authorities arrest 3 in SMS blaster phishing scheme SC Staff April 28, 2026 The SMS blaster operates by emitting signals that trick mobile devices into connecting to it, appearing as a stronger, legitimate cell tower. Threat Intelligence More covert ClickFix variant targeting Windows detailed SC Staff April 28, 2026 HackRead reports that Windows systems have been subjected to a novel ClickFix attack campaign that leverages fraudulent CAPTCHA pages in the lead up to illicit command execution. Government security Chinese spear-phishing campaign targets NASA employees SC Staff April 28, 2026 NASA had its employees and research collaborators reported by its Office of Inspector General to have been subjected to a Chinese spear-phishing campaign aimed at procuring the agency's sensitive data, The Hacker News reports. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bring Your Own Device (BYOD) Eavesdropping Email Spoofing Internet Message Access Protocol (IMAP) Post Office Protocol, Version 3 (POP3) Spam Store-and-Forward You can skip this ad in 5 seconds