Crypto companies invest heavily in cybersecurity, but hackers can still burrow in by attacking their third-party vendors. That’s what happened to Circle, BlockFi, Pantera Capital, NYDIG and other prominent crypto firms that disclosed over the weekend that their customer data had been hacked.
In emails to clients, the companies revealed that Hubspot, a marketing and sales platform, had informed them that a hacker had gained access to the personal data of their customers.
“Pantera uses Hubspot as a client relationship management platform. … The information that may have been accessed includes first and last names, email addresses, mailing addresses, phone numbers, and regulatory classifications,” wrote Pantera Capital.
Pantera added that its “internal systems” were not affected by the incident, and that the hacker didn’t gain access to any Social Security Numbers or government IDs provided by customers.
In a weekend blog post, HubSpot described the attack as a “targeted incident focused on customers in the cryptocurrency industry,” and said that a “bad actor” had compromised an employee’s account.
Hubspot added that “data was exported from fewer than 30 HubSpot portals,” but didn’t provide a list of which clients’ accounts had been compromised.
The identities of some of the affected companies have instead been made known as a result of the firms themselves alerting their customers—a common practice intended to both warn those customers and to reduce legal exposure from such incidents, some of which result in class action suits and some of which result in fines from regulators like the Federal Trade Commission.
The full extent of the hack is so far unclear, in part because HubSpot hasn’t disclosed how much data was stolen. But given that the likes of BlockFi and Circle alone have millions of customers, it’s possible the hack was major.
In the case of Circle, the company wrote that “customers’ funds, financial transaction data and know your customer (KYC) data were also not affected,” but added that clients’ contact information was stolen.
It’s likewise unclear what the hacker intends to do with the data. In many cases, hackers sell plundered customer data on dark web forums where criminals purchase it to carry out further hacks or phishing scams.
In the case of the HubSpot incidents, it’s possible the hacker or other crooks may use contact information such as email addresses to guess victims’ passwords and steal their crypto.
Circle’s email to customers also referred to phishing, though it didn’t directly say that motivated the attack.
Oren Falkowitz, founder of an anti-phishing service called Area 1 that was recently purchased by Cloudflare, is confident phishing was the source of the incident.
“It’s obvious that the root cause of the cyber attack against HubSpot was phishing. Phishing attacks continue to be the root cause of 95% of cyberattacks,” Falkowitz said via email. “What’s so pernicious about these types of attacks, and the lack of accountability of holders of so much identity data, such as HubSpot, is that they initiate a cycle of more phishing, which is already being reported by HubSpot customers.”