US share-trading app Robinhood has been hit by a security breach that has exposed the names or email addresses of more than seven million people.
The company says the breach affected “a limited amount of personal information for a portion of our customers”.
Robinhood said it had rejected a demand for payment and reported the attack.
Instead of complying with what it called “extortion”, Robinhood said it had notified law-enforcement authorities and hired an external cyber-security firm to help deal with the incident.
The app, which allows for low-volume share trading by ordinary people looking to invest, exploded in popularity earlier this year.
The breach happened on November 3 through what’s known as “social engineering” – a specifically targeted and convincing scam designed to trick an employee into divulging login details or other sensitive information.
It affected five million people whose e-mail addresses were compromised and the full names of a further two million.
Robinhood also said a much smaller group of just over 300 people had much more information exposed – including names, dates of birth, and US zip codes.