Robinhood account creation process exploited to deliver phishing emails via email injection

Timeline

1. 28.04.2026 02:11 1 articles · 3h ago

   Robinhood account creation flaw exploited to deliver phishing emails via injected HTML

   Threat actors abused a flaw in Robinhood’s account creation flow to inject arbitrary HTML into account confirmation emails, causing fake ‘Unrecognized Device Linked to Your Account’ alerts to render within legitimate messages from [email protected]. The attack involved modifying device metadata fields during registration to include embedded HTML, which Robinhood did not sanitize, resulting in phishing content being displayed in the Device: field of confirmation emails. The phishing emails included a malicious link to robinhood[.]casevaultreview[.]com and warned of suspicious login activity. Robinhood confirmed the issue was not a system breach and has removed the Device: field to prevent further abuse.

   Show sources

   • Robinhood account creation flaw abused to send phishing emails — www.bleepingcomputer.com — 28.04.2026 02:11

   Open in new tab

Information Snippets

• Threat actors exploited a flaw in Robinhood’s account creation onboarding flow to inject arbitrary HTML into account confirmation emails, specifically targeting the Device: field.

  First reported: 28.04.2026 02:11
  1 source, 1 article
  Show sources

  • Robinhood account creation flaw abused to send phishing emails — www.bleepingcomputer.com — 28.04.2026 02:11

• The injected HTML was rendered within legitimate emails sent from [email protected], appearing as a fake ‘Unrecognized Device Linked to Your Account’ alert with IP addresses and partial phone numbers.

  First reported: 28.04.2026 02:11
  1 source, 1 article
  Show sources

  • Robinhood account creation flaw abused to send phishing emails — www.bleepingcomputer.com — 28.04.2026 02:11

• The phishing email included a ‘Review Activity Now’ button that redirected users to a malicious site at robinhood[.]casevaultreview[.]com, which is now inactive.

  First reported: 28.04.2026 02:11
  1 source, 1 article
  Show sources

  • Robinhood account creation flaw abused to send phishing emails — www.bleepingcomputer.com — 28.04.2026 02:11

• The phishing emails passed SPF and DKIM checks, making them appear legitimate to recipients despite originating from Robinhood’s infrastructure.

  First reported: 28.04.2026 02:11
  1 source, 1 article
  Show sources

  • Robinhood account creation flaw abused to send phishing emails — www.bleepingcomputer.com — 28.04.2026 02:11

• Attackers likely used lists of known customer email addresses from Robinhood’s 2021 data breach (affecting 7 million users) to target recipients.

  First reported: 28.04.2026 02:11
  1 source, 1 article
  Show sources

  • Robinhood account creation flaw abused to send phishing emails — www.bleepingcomputer.com — 28.04.2026 02:11

• Attackers abused Gmail’s dot aliasing feature to register accounts using variations of real email addresses while still delivering messages to intended recipients.

  First reported: 28.04.2026 02:11
  1 source, 1 article
  Show sources

  • Robinhood account creation flaw abused to send phishing emails — www.bleepingcomputer.com — 28.04.2026 02:11

• Robinhood confirmed the incident was not a breach of systems or customer accounts and stated personal information and funds were not impacted.

  First reported: 28.04.2026 02:11
  1 source, 1 article
  Show sources

  • Robinhood account creation flaw abused to send phishing emails — www.bleepingcomputer.com — 28.04.2026 02:11

• Robinhood has remediated the flaw by removing the Device: field from account creation emails to prevent further HTML injection.

  First reported: 28.04.2026 02:11
  1 source, 1 article
  Show sources

  • Robinhood account creation flaw abused to send phishing emails — www.bleepingcomputer.com — 28.04.2026 02:11