Crypto banking portal BlockFi says that users’ personal details, including names, emails, and phone numbers were targeted over the weekend after hackers breached the security of its CRM and marketing platform provider, HubSpot.
Bitcoin buying platform Swan Bitcoin and crypto hedge fund Pantera Capital also suffered in the targeted attack.
As reported by Security Week, a “bad actor” managed to take control of a HubSpot employee account on Friday. This gave them access to data belonging to a number of the Massachusetts-based company’s customers.
New Jersey-based BlockFi took to Twitter to reassure users that, while HubSpot stores customer names and email addresses, more sensitive data is kept elsewhere. This includes account passwords and social security numbers.
HubSpot says it nixed the account in question as soon as it uncovered the attack. It also shut down a number of other employee account privileges. The company says that fewer than 30 portals are at risk.
“Some employees have access to HubSpot accounts,” said HubSpot (via Security Week). “This allows employees such as account managers and support specialists to assist customers.”
“In this case, a bad actor was able to compromise an employee account and make use of this access to export contact data from a small number of HubSpot accounts.”
BlockFi reached a record $100-million settlement last month with the US Securities and Exchange Commission (SEC) and 32 US states, for offering unregistered securities through its crypto-powered savings accounts.
It could face a lawsuit against hundreds of thousands of users for allegedly failing to notify them of the associated risks.
BlockFi users not alone
An employee of crypto exchange Coinbase suffered a “social engineering” phishing attack last year. Hackers exploited a chink in the company’s SMS account recovery process.
This granted them a two-factor authentication token and access to 6,000 Coinbase accounts — and their funds.
According to Coinbase, its attackers must have had “prior knowledge of the email address, password, and phone number associated with a specific account.”
They would also have needed access to a personal email inbox.
Follow us on Twitter for more informed news.
Out now: the first four episodes of our ongoing investigative podcast series Innovated: Blockchain City.