Image: SOPA Images/Contributor

The hackers behind the recent breach of customer data from app-based broker Robinhood had access to an internal tool that presented them the option of tampering with user accounts, including removing specific users’ multi-factor authentication protections, according to screenshots of the tool obtained by Motherboard. Robinhood said that based on its investigation, the hackers did not make any changes to any customers’ accounts, however.

The news highlights the potential risks that hackers can pose beyond simply stealing sensitive data. The screenshots of the tool also show buttons for logging a user out of their account, adding a trusted device, and blocking certain sessions from accessing the Robinhood account. The screenshots also show the hackers could view sensitive information on users, such as their balances and trades.

A source who presented themselves as a proxy for the hackers provided Motherboard with the screenshots.

In an email to Motherboard, a Robinhood spokesperson said that “Certain authorized Robinhood employees have the ability to update accounts as necessary to provide customer support or service accounts, as is standard at most financial institutions and platforms.”

Tech companies often have internal tools for employees to make changes to customers’ accounts, sometimes for troubleshooting or to resolve customer service issues. But hackers can in turn gain access to and sometimes leverage those tools. Last year, Motherboard reported how a scammer bribed a worker at popular gaming platform Roblox to access its back end customer support panel. Hackers also recently targeted a similar tool used by Twitter.

The screenshots show that as well as offering the ability to make changes to users’ accounts, the tool provides notes on specific accounts generated by Robinhood’s fraud team; the devices used to log into Robinhood; the user’s IP addresses; whether the devices are trusted or not; their balances such as net cash as well as their buying power; and their phone number and whether that number is verified or not. Robinhood had not previously specified that some users’ phone numbers may have been exposed.

Another of the screenshots shows an internal message written by a Robinhood employee discussing changes to account security practices. Another shows customer support messages between a specific user and Robinhood.

Do you have a tip about Robinhood? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com.

On Monday Robinhood announced it had suffered a data breach, in which hackers socially engineered a customer service representative to then gain access to the email addresses of more than 5 million customers, the full names of 2 million other customers, and other data from a smaller group of users. The hacker then tried to extort the company, according to the announcement.

“We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people,” Robinhood’s announcement added.

On Wednesday the Robinhood spokesperson said that “As we disclosed on November 8, about 10 customers had more extensive account details and information exposed,” when asked about the hackers’ access to the internal tool. Robinhood said that the screenshot with the customer support messages was part of this subset of 10 accounts.

Some of the data included information on users who had requested for Robinhood to delete their account, Motherboard reported. Robinhood told Motherboard at the time that it is required by SEC rules to keep account information for six years after an account is closed.

The hackers appear to be advertising access to some of the stolen data on an underground forum.

Motherboard contacted two victims whose personal details were included in the screenshots but did not receive a response.

Subscribe to our cybersecurity podcast CYBER, here. Subscribe to our new Twitch channel.