On Friday, a hacker targetting crypto customers’ data discovered a vulnerability in the client relationship management (CRM) platform Hubspot, making off with customer data from firms such as BlockFi, Swan Bitcoin, and Pantera Capital – and all three companies have shared steps customers can take to help ensure the safety of their data and funds.

In light of this most recent hack, BlockFi suggested the following steps to its customers:

  • password hygiene: make sure that you are using strong passwords and that they are different for every service; you can use password managers to make this easier, such as 1Password;
  • turn on allowlisting for BlockFi: this is recommended even if you do not have an allowlisted address; any time you want to withdraw, you’ll have to add a new allowlisted  address, triggering a 7-day hold – in addition to the company’s standard 1-business day security hold;
  • be extra vigilant of scams: this concerns various inbound communications, be it emails, phone calls, or texts – if it’s outside of the typical BlockFi channel of communication, do not engage.

Swan Bitcoin shared its own list of recommendations, stating:

  • be mindful of any suspicious activity, especially in your email – assume any email that asks for sensitive info or for an action of some kind is not genuine until proven otherwise;
  • be careful of phishing – attempts to get additional information from you or to make you do something via email, call, or text;
  • do not engage if you are approached outside of the typical channels of communication you receive;
  • contact companies directly when in any doubt, via their official email addresses or phone numbers;
  • enable Two-Factor Authentication (2FA) for all your accounts; using an authenticator app or a hardware authenticator tool is recommended, such as Yubikey;
  • update your software – this includes operating systems on your phones, tablets, and laptops, and use automatic updates for all devices, applications, and operating systems;
  • use strong passwords and password managers.

As for Pantera, they shared the same advice regarding password usage and management, as well as 2FA, further adding in an email:

  • if a communication uses unusual language or improper grammar, the communication may be from a malicious third party pretending to be Pantera;
  • never click on links in emails or text messages in which the full web address is not visible.

Finally, all three companies agree that: 

“If it seems too good to be true, it is.”

Crypto-focused attack

Hubspot stated that the hacker had “compromised” one of its employee accounts on March 18 in what it believed to be “a targeted incident focused on customers in the cryptocurrency industry.” 

The firm claimed to have “terminated access for the compromised Hubspot employee account and removed the ability for other employees to take certain actions in customer accounts.”

The firm confirmed that a number of telephone numbers and email addresses had been exposed in the attack. However, it claimed that sensitive data including passwords and proof of identity details remained secure.

CRM platforms are often used as a digital, hub-like tool for businesses to pool or store customer and prospective customer data, as well track interactions.

Funds are SAFU

BlockFi took to Twitter to explain that its own “internal systems and client funds are safeguarded and were not impacted.” The company added:

“We can also confirm that BlockFi account passwords, government-issued ID numbers and social security numbers were never stored on Hubspot. […] No action is needed on your BlockFi account at this time.”

BlockFi added that it stored data “including name, email, and phone number” for “a majority” of its clients,” but was still waiting “to understand the full scope” of the hack’s “impact.”

Swan Bitcoin, meanwhile, explained in an email to customers that was also posted to Twitter, that it “uses Hubspot for limited client communication and marketing data,” adding:

“We do not use Hubspot to store financial information, transactions, or other sensitive personal or financial information. Your funds are safe. Swan’s systems were not compromised.”

The firm added that it uses Hubspot to store data that they “rely on to help onboard new and prospective customers.”

“Additional information,” it concluded, “will be emailed to all impacted clients in the coming days.”

The company co-founder Yan Pritzker added in a Twitter comment that the team has been working “round the clock” since Friday on “data scrub, termination of further data to 3rd parties and complete audit.”  They also plan to share a “comprehensive” plan next week – and it will include “moving away from using vendors for email.”

Startups rely on 3rd parties because it would be impossible to get a company off the ground if you build everything yourself. We chose vendors with extremely high standards. Hubspot had soc 2 type ii certification, for example. But it’s clearly time to take this in house.

— Yan Pritzker 🦢 (@skwp) March 20, 2022

In a further release on the hack, Hubspot claimed that its “initial assessment suggests that data was exported from fewer than 30 HubSpot portals” – but hinted that a “bad actor” may have gotten what they were after had the hacker had “attempted to access contact data.”

Additional details “on the bad actor’s actions” had been “provided to impacted customers,” the firm added.

Pantera said that Hubspot notified the company that an unauthorized person “may have gained access to a portion of its client data,” including certain Pantera data that is housed on the platform. 

The information that may have been accessed, per Pantera’s email, includes names, email addresses, mailing addresses, phone numbers, and regulatory classifications.  

Pantera’s internal systems were not impacted by this incident, they said, and therefore sensitive personal information, like social security number or government-issued identification, were not accessed. “This information is not stored on Hubspot,” the company said.

Last year, Pantera Capital also suffered a Hubspot-related security breach that the former claimed was then used to target customers with a bogus “token sale” offer.

Source: Cryptonews

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments