A California judge has given preliminary approval to a $20 million class-action settlement between investing app Robinhood and customers who say the platform's negligence led to their personal information being leaked.

According to a complaint filed in federal court in February 2021, Robinhood's system "lacks simple and almost universal security measures used by other broker-dealer online systems, such as verifying changes in bank account links."

According to Elizabeth Kramer, an attorney for the plaintiffs, class members in the case are defined as anyone in the US whose Robinhood accounts were accessed by unauthorized users between Jan. 1, 2020, and April 27, 2022.

Robinhood deputy general counsel Lucas Moskowitz said the company takes cybersecurity very seriously.

"[We] are pleased to have resolved this matter," Moskowitz said in a statement shared with CNET. "We continue to take numerous steps to safeguard accounts, including using hashing algorithms, encryption, two-factor authentication and other account security measures." 

Approximately 40,000 customers have claimed unauthorized users accessed their Robinhood accounts, according to court filings.

The payout agreement was submitted on July 1 and received preliminary approval on Aug. 23. A final approval hearing has been slated for next spring.

Here's what you need to know about the Robinhood settlement, including who is eligible for payment and how much money they could receive.

For more on class action settlements, find out if you're eligible for money from Capital One's $190 million payout, T-Mobile's $350 million data breach case or Facebook's $90 million data-tracking payout.

What is Robinhood accused of in this class action case? 

In 2021, San Francisco law firm Erickson, Kramer and Osborne filed a class action lawsuit against Robinhood on behalf of Siddharth Mehta, Kevin Qian, Michael Furtado and other Robinhood customers who claimed their Robinhood accounts were hacked.

According to the motion for settlement filed July 1 in the US District Court for the Northern District of California, Robinhood "used substandard security practices and lacked security measures used by other broker-dealer online systems," leading to multiple data breaches.  

Who qualifies for a payment in the Robinhood settlement?

Any US resident whose Robinhood accounts were accessed by unauthorized users between Jan. 1, 2020, and April 27, 2022, or who notified Robinhood their accounts were hacked, is considered eligible to file a claim, according to Kramer.

The settlement does not, however, cover claims arising exclusively from a Nov. 3, 2021, data breach that leaked the personal details of more than 7 million customers, including names, birthdates and ZIP codes.

That incident is the subject of a separate lawsuit, according to Kramer.

"To put it more simply, this settlement is based on alleged cybersecurity failures by Robinhood that 'left the door unlocked' for hackers over time," she told CNET. "The specific November 2021 event is carved out."

How much could customers receive in compensation?

According to the terms of the proposed settlement, Robinhood has agreed to pay $19.5 million in damages and $500,000 in fees.

US-based customers whose accounts were hacked between Jan. 1, 2020, and April 27, 2022, can file a claim for up to $260 per person.

According to Barrons, individual payouts break down as follows:
• Up to $100 for out-of-pocket expenses resulting from the breach
• Up to $100 in reimbursement for identity theft protection or credit monitoring services
• Up to $60 for time spent responding to the issue.

Class members are also eligible for two years of free identity theft protection and credit monitoring. 

In addition to the cash payments and protection services, the settlement requires Robinhood to improve security procedures, including:

• Supplemental two-factor authentication
• Prompting users to update passwords
• Proactive monitoring of account takeovers
• Cybersecurity awareness campaigns 
• Real-time voice support for customers

How do I file a claim in the Robinhood settlement?

Notification of the settlement will officially go out on Sept. 13, the same day the settlement website will go live.

According to Kramer, the site will include a simple online form for potential class members to complete, as well as a print-out version to mail in.

When will I receive payment from Robinhood? 

Preliminary approval for the settlement was given on Aug. 23, 2022. A hearing to assess final approval has been scheduled for May 16, 2023.

Class members would receive payment after that. 

Robinhood's rocky road to the present

An investing and stock-trading app launched in 2013, Robinhood is popular among millennials, who make up a majority of its users. The Robinhood app has exploded in popularity since its debut, managing $98 billion in assets by the end of 2021 and reporting 14 million monthly users in June 2022. 

Many of its services are available for no fee and members' accounts are, on average, significantly smaller than its competitors, according to data from Broker Chooser.

App	Average account size
Robinhood	$4,000
E-Trade	$127,000
Charles Schwab	$234,000
Fidelity	$279,000

But Robinhood's rapid rise has come with controversy and a string of litigation: In February 2021, the company was sued by the family of a 20-year-old trader who killed himself after he incorrectly believed he had racked up approximately $730,000 in losses on the app. 

That same year, Robinhood faced several civil suits after it froze GameStop trading following a Reddit campaign to buy up shares of the video-game retailer that caused its stock price to spike.   

In June 2021, the Financial Industry Regulatory Authority ordered Robinhood to pay more than $70 million in fines and restitution for violating financial regulations and giving customers false and misleading information.

There have also been several high-profile cybersecurity incidents: In October 2020, Bloomberg reported that approximately 2,000 Robinhood customers' accounts were exposed by hackers.

In the November 2021 attack, the company claimed, a hacker "socially engineered a customer support employee by phone and obtained access to certain customer support systems" in order to extort money. Law enforcement was informed of the extortion attempt, the company maintained, and the leak was contained. 

This May, Robinhood agreed to a $9.9 million payout to settle a separate class-action lawsuit filed by users who alleged site outages in March 2020 prevented them from trading just as the market plummeted in the earliest days of the pandemic.

And on Aug. 2, the New York State Department of Financial Services hit Robinhood Crypto, the investing app's cryptocurrency trading wing, with a $30 million fine for "significant" failures to comply with the state's consumer protection, cybersecurity and money laundering statutes.

Also in August, Robinhood laid off nearly a quarter of its employees following a steep decline in trading activity on the app. It was the second round of layoffs this year after Robinhood trimmed its staff by about 9% in April

The two rounds combined have eliminated more than 1,000 jobs from the company,  The Wall Street Journal reported.

"Last year, we staffed many of our operations functions under the assumption that the heightened retail engagement we had been seeing with the stock and crypto markets in the COVID era would persist into 2022," Robinhood chief executive and co-founder Vlad Tenev said in a blog post.

"In this new environment, we are operating with more staffing than appropriate," Tenev added. "As CEO, I approved and took responsibility for our ambitious staffing trajectory -- this is on me."