Robinhood Account Creation Flaw Abused to Send Phishing Emails

What happened

Threat actors exploited a flaw in Robinhood’s account creation process to inject phishing content into legitimate emails sent from the company’s own infrastructure, causing recipients to receive convincing credential theft attempts that originated from [email protected] and passed SPF and DKIM authentication checks.

The attack worked by abusing unsanitized device metadata fields in Robinhood’s onboarding emails. When a new account is created, Robinhood automatically sends a login confirmation email containing the registration time, IP address, device information, and approximate location. Attackers modified their device metadata to embed arbitrary HTML, which Robinhood rendered without sanitization, injecting a fake “Unrecognized Device Linked to Your Account” warning into the Device field of the email. The phishing section directed recipients to click a “Review Activity Now” button linking to a now-offline site at robinhood[.]casevaultreview[.]com, assessed to have been used for credential theft.

To target existing Robinhood customers, attackers used Gmail’s dot aliasing behavior, where adding periods to an email address does not change its destination, to register accounts using variations of real customer email addresses while still delivering the phishing emails to intended recipients. The 2021 Robinhood breach, which exposed data from 7 million customers, is a likely source for the email lists used in the campaign.

Robinhood confirmed the incident and attributed it to abuse of the account creation flow rather than a breach of its systems. The company has fixed the flaw by removing the Device field from account creation emails. Personal information and funds were not impacted.

Who is affected

Robinhood customers whose email addresses appeared in prior breach data are the primary targets, given that attackers needed existing customer email addresses to direct the phishing emails convincingly. Anyone who received the fake login alert and clicked through to the phishing site faces potential credential exposure.

Why CISOs should care

The phishing emails in this campaign passed every standard authentication check. SPF passed. DKIM passed. The sending address was genuine. For recipients and for email security tooling, there was no technical signal that anything was wrong. The attack succeeded entirely because of an input sanitization failure in a transactional email template, turning a routine onboarding communication into a phishing delivery mechanism.

This is a pattern worth internalizing: any platform that includes user-controlled input in outbound email without proper sanitization can be weaponized to send authenticated phishing at scale. The attack required no compromise of Robinhood’s core systems.

3 practical actions

1. Audit all transactional email templates for user-controlled input fields: Any field in an outbound email that incorporates data supplied directly or indirectly by the user, including device metadata, names, or location fields, must be sanitized before rendering. Unsanitized HTML in email templates is a direct phishing delivery vector regardless of how strong the platform’s authentication infrastructure is.
2. Brief users that legitimate authentication emails can carry phishing content: Standard guidance to check the sender address and authentication headers is no longer sufficient when phishing content can be injected into genuinely authenticated emails. Train users to treat unexpected security alerts as suspicious regardless of sender, and to verify account activity directly through the platform rather than through email links.
3. Review dot aliasing and similar email normalization behaviors in your account registration flows: Gmail dot aliasing and similar mechanisms allow attackers to register accounts using variations of real email addresses. Normalizing email addresses during account creation reduces the ability to weaponize your onboarding flow against your own user base.