TD Ameritrade's 6 million customers hit with security breach

Online trading company TD Ameritrade alerted more than 6 million customers Friday that a security breach occurred with its client information database.

The database contained such sensitive information as clients' names, Social Security numbers, dates of birth, addresses, phone numbers and trading activity.

Ameritrade, however, stressed that it has no evidence that Social Security numbers and client demographics, such as birth dates and trading activity information, were retrieved or used to commit identity theft. The company also notes that Ameritrade's user log-ins and passwords were not part of the database.

The discovery was made a couple of weeks ago, when the online broker learned that investment-related spam had infiltrated the brokers' system. The malicious code allowed a hacker to access some of the information stored in the database.

A TD Ameritrade spokeswoman declined to give further details of the security breach, noting that the investigation is still ongoing.

But one security expert said it could have happened one of two ways.

"There are only two different ways this could have happened. There was either a vulnerability with their Web site and it was hacked, or someone internally gained access with a Trojan horse," said Graham Cluley, senior technology consultant at Sophos.

He warned that Ameritrade clients should be on the lookout for phishing attempts, which try to steal users' log-ins and passwords by lulling them into believing the e-mail is being sent by the online broker.

Hackers may also try to use the information to run a pump-and-dump scheme, in which certain stocks are touted to clients, driving up the stock price before the attackers dump the stock.

Ameritrade said it hired ID Analytics to conduct a forensics test to ascertain what information, if any, has been compromised. It has also posted more information on its Web site.

[Doctor B]

The spam started long ago - so this is the reason?

TD Ameritrade states that the information was used to send spam. If you search for "Ameritrade spam" on google, you can see that people (including myself) have been receiving spam on addresses given ONLY to Ameritrade for quite some time; a quick look just now turned up discussions from 2005 (there may or may not be earlier ones, I only looked at a few search results). I wrote to them several times to complain about this, and was told that they were investigating (or had investigated) and had not found any evidence of a security breach. However, it sounds to me now like this has been going on for all that time.

[Renceward]

I wrote to them 2 years ago

I had an Ameritrade only email address - I started to get pump and dump spam. I contacted them and pointed out that Ameritrade and only Ameritrade had this email address. They kept denying any problems. I filed a complaint with the SEC - Ameritrade continued to deny the problem. I closed my account with Ameritrade - I can't risk trusting my money to morons. This security breach has been going on for years and they just now figured it out. I don't know why anyone would trust them with their money.

[tomblonde]

the email addresses were stolen a long time ago

I gave a VERY unique email addy to tdameritrade and gave it to no-one else. I started getting a non-tdameritrade spam at that address nearly a year ago.

[Loraneb]

Same Here

I did the exact same thing with a disposable email address - assigned only to Ameritrade. I even emailed them and told them something was fishy - never got a response. They had to have known about this problem at the time- they just never acknowledged it until word got out , , , now.

[www.sorehands.com]

They lie.

I complained about this multiple times over the last 6 months. They claimed it must have been a virus that got the e-mail address from my system and sent it to the spammmers.

Impossible, I run OS/2.