What We Know About What Happened
On or about March 10 and 18 of this year, two third-party services had their Bitcoin customer data compromised:
- one was an email marketing system called ActiveCampaign.
- one was a customer relationship manager (CRM) web application called HubSpot.
In total, the two separate incidents targeted and accessed personal information (PI) of customers belonging to at least 31 Bitcoin companies. In all cases, the compromised data included the customers’ names and email addresses. In most cases, it also included physical addresses and phone numbers. In other cases, the stolen data also included an IP address, browsing history, type of user, and other customer information.
From the information that was shared publicly, one compromise occurred via social engineering and one compromise was via a phishing attack.
What we don’t yet know is whether other Bitcoin companies have been compromised via their third-party services. Other companies may not have yet realized that their data has been compromised.
In summary, there have always been bad actors targeting Bitcoiners — there are also increasing attacks on Bitcoin companies. Cyberattacks are having numbers go up in a large way.
KYC means “know your customer.” If you have given any of the above-mentioned pieces of personal information to one or more of these Bitcon companies in order to buy Bitcoin or for other services, your personal information that the company required in order to know their customer has now been compromised.
The bad actor or actors who perpetrated these successful attacks — at minimum — now know that you hold bitcoin. How they might intend to take advantage of that information remains to be seen. So, you should cover your … backside.
What The Heck Is A CRM Or Email Marketing Service?
A Customer Relationship Management (CRM) system “is a process in which a business or other organization administers its interactions with customers.” Salesforce is perhaps the most well-known example of a CRM. An email marketing service like HubSpot is an easy way for companies to email newsletters and other information to different groups of users.
Similar to how most people use various digital productivity apps to manage their contacts and communication lives, businesses and other organizations use CRMs and email marketing services in order to digitally run their business. Every digital business you shop or work with can also have this personal data compromised.
How Can You CYA In The Future
If you are going to interact with a company that needs to KYC and store your contact details, these are my recommendations on the minimum steps you should take to CYA:
- E-Mail: Obtain a separate email address that you use only for Bitcoin financial services. If there is a data compromise, get a new email address and update that email information for ALL Bitcoin services.
- Phone: Get a separate internet phone number and use that for any Bitcoin services. As with email addresses, if there is a data compromise, change the phone number on all Bitcoin services.
- Account Access: Enable multifactor authentication (MFA) with an authenticator app or hardware key. Do NOT use SMS/text for MFA. (Remember, if compromised they will have your phone number now and could SIM swap and compromise you).
ALWAYS use strong passwords and a password manager and don’t re-use the same password across different services.
- Physical Address: Get a P.O. box or other delivery location to use in lieu of your home or work address.
Some people even use a totally separate desktop system for Bitcoin service interactions.
You might also benefit from reviewing the security tips I delineated in “Bitcoin OpSec Tips From Casa Keyfest.”
How You Can CYA If Your Data Was Compromised
Basically, follow the steps above and change what you can in your Bitcoin company profile and account credentials — NOW.
You will then know that future company contact with the old email address or phone number should be viewed as suspicious and possibly nefarious.
How Can You CYA Against Social Engineering
First, do NOT assume you would not fall for a social engineering attack.
Social engineering is a devious method of compromise and it will appeal to your desire to be seen and understood. If the bad actors have your info from a CRM, they will use information about what you’ve browsed, what purchases you made, and past conversations in order to make you feel like they have personally connected with you. They will use any psychological vulnerability they can detect in order to make you trust them and then take an action that can cause a compromise that will give them financial gain.
Imagine that tomorrow you get a phone call (social engineering) ostensibly from one of your Bitcoin service providers, that notifies you of the attack, and offers to update your password there and then right over the phone. Your caller ID even shows that they are calling from the company that they say they’re calling from. They just need your current password to authenticate you. If you have it enabled, they might even say that you’ll get a 2-factor authentication request sent to your phone, and sure enough, you get one. They’ll ask you to read off the code to “confirm your identity.”
What’s actually happening is they have spoofed the caller ID to make it look like they’re calling from that company. They are logging into the website as you, and you’re giving them all the information they need to access your account.
Always go to the website directly and make any profile changes there.
How Can You CYA Against Email Phishing
Do NOT assume you are so technically astute that you would not fall for a spear phishing attack. Even people who should know better fall for them all the time.
Imagine that tomorrow you get an email (phishing attack), ostensibly from one of your Bitcoin service providers, that notifies you of the attack, and recommends that you log in immediately to update your password, providing a handy login link.
Should you click that link?
Answer: NO! You should NEVER click the link in an email.
Do some research and educate yourself about how real these look and how they use psychological bias and noise to trick your eyes and brain.
KnowBe4 is a company that provides employee security training and has a lot of good free information about how to spot and avoid phishing attacks.
I personally rarely, if ever, click links from Bitcoin companies. Go to the site and log on directly. The small extra effort is worth the extra security and avoiding the risk of personal information compromise.
How You Can CYA With Centralized Exchanges
As always, not your keys, not your coins. To be truly decentralized, you MUST get your Bitcoin OFF the exchange and into self-custody.
This is not just a Bitcoin company problem. However, as I am writing about in another piece and something that should be evident at this point, Bitcoiners are a target.
Wake-Up Call On Security And Privacy
These compromises should be a wake-up call on security in all areas of your digital life.
And, you just realized you DO care about privacy.
To that end, you could choose to move to services that do not KYC and/or that do not hold some of your personal information.
For more detailed information about the Hubspot compromise, see Robert Warren’s “What The Hubspot Bitcoin Company Data Breach Means For You (It’s Not Good)”.
This is a guest post by Heidi Porter. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.