Robinhood Phishing Email Abuse — April 26, 2026 Post-Mortem (Aggregated)
The Incident
On April 26, 2026, multiple Robinhood customers reported on X that they were receiving phishing emails sent from the legitimate noreply@robinhood.com address. The emails carried the subject line "Your recent login to Robinhood" and contained a fake "Unrecognized Activity Detected on your Account" warning with a "Review Activity Now" button linking to an attacker-controlled site. Robinhood's official statement: "It was not a breach of our systems or customer accounts, and personal information and funds were not impacted."
How the Attack Worked
Attackers exploited a flaw in Robinhood's account creation flow. The "device name" / "Device:" field in the new-account onboarding email was rendered without proper HTML sanitization. Threat actors created new Robinhood accounts and embedded HTML payloads (a fake "Unrecognized Device Linked to Your Account" message with a phishing link) into the device metadata field. Robinhood's automated email template then injected the unsanitized HTML directly into the welcome/login email sent from noreply@robinhood.com.
The Gmail Dot-Alias Trick
To target existing Robinhood customers without raising flags, attackers leveraged the fact that Gmail ignores periods in usernames (e.g., user.name@gmail.com and username@gmail.com deliver to the same inbox), but Robinhood treated each variation as a distinct account. This let attackers register a "new" Robinhood account against a victim's effective Gmail address, triggering the device-creation email — which was then weaponized via the HTML injection in the device field — and delivered to the victim's real inbox.
The Core Technical Issue
This is a classic stored-XSS-by-email pattern combined with identity confusion between two systems' username canonicalization rules:
1. Insufficient input sanitization of user-controlled fields (device name) before being interpolated into a transactional email template.
2. Identity provider mismatch: Gmail's permissive aliasing vs Robinhood's strict-string username comparison let attackers pre-target known victim addresses.
Why This Matters for Crypto
While Robinhood is primarily a brokerage, it offers crypto trading and wallet services. Phishing emails delivered from a verified financial-institution address with valid SPF/DKIM bypass nearly all consumer-grade email filtering and user trust signals — making this an effective vector for stealing crypto wallet credentials, seed-phrase recovery codes, or 2FA tokens.
Response
BleepingComputer confirmed Robinhood fixed the flaw by removing the Device: field entirely from the account creation email template. The official position remains that Robinhood's systems and customer accounts were not breached — the attack was abuse of legitimate email-sending infrastructure rather than direct system compromise.