Bitcoin Forum

HubSpot are a marketing agency. They collect data and use it to serve you ads, social media marketing, various content, and what not. Yesterday, they were hacked, resulting in the theft of the personal information of an unknown number of people - name, address, email, phone number, etc.

Why should you care? Because it turns out a variety of centralized crypto services have been sharing/selling your data with/to this marketing agency.
Here's the tweet from BlockFi confirming their users are affected: https://nitter.net/BlockFi/status/1504982848771608586
And another tweet from Swan: https://nitter.net/SwanBitcoin/status/1505261139571191813

No doubt we will see more crypto services admitting they were also handing your data over to HubSpot in the coming days.

Users affected can expect phishing emails at the very least pretending to be from these companies and trying to get users to hand over account credentials or seed phrases or complete password resets. I'd also be concerned about SMS phishing or SIM swap attacks, as well as attempted forced access to email and other accounts. More complex phishing attempts could also be attempted, such as those that we saw after the Ledger data leak.

Just another one of the many risks you take when you hand over your personal information to centralized services.

In my email I have received email from Electrum, ledger and other kind of wallets asking for verify my wallet or I will lose my wallet access. The email is written is a way that an inexperience user will defiantly fall for the trap. Someone with experience will know that there are no centralized service for your desktop and hardware wallets so there are nothing such can happen. So obviously this is a scam and the email has phishing link to steal your private key and seed.

But...
Imagine you have account with Binance. You have not KYCed you account. An email from binance official (email containing the domain name binance.com. For example xyz@binance.com) asking your to KYC your account and to do that they have given a link button in the email. They also said if you do not do it immediately then they will freeze your assets. What would you do?

You will click the link button, login and WTF! Using a script one can easily send email using any email address in the from field. So receiving email from xyz@binance.com does not mean that the email came from Binance.

So these days receiving an email means this could be a nuclear bomb for you. If you handle it without care then this might destroy everything for you. The sad part? No one will know about it and can do anything about it.

When you are with any financial institute or with any important business, always save their main URL in a document. Always login from those saved URLs instead of logging in from any link that came in the email or SMS.

This is time for information, an era of information. There are many service you will need in your life and they will take your personal information. You can not avoid it sadly. The only way for us is to be aware, and to be educated to avoid any accident.

Good topic by the way.

One of the most common phishing emails that anyone will receive is to verify their Metamask wallet.

https://i.imgur.com/QlHIv5ml.jpg

Any newbie can easily fall for the above scam. They use the KYC trick to lure newbies to click on the blue button. Be careful with such emails and delete them whenever anyone receives such mails.

For me, that's easy to realize. My habit is that I won't log into any account on 2 or more different devices.
If that link redirects me to the Binance page in the logged in state, I'll check a few other subpages especially the notifications and withdrawal history page before I assume it's really not phishing.

Yeah, that's the difference. Anyone can send round a mass email instructing people to verify their seed phrase or something equally stupid. But once you have the personal details of a person from a service you know they use, then you can specifically target them, making the email appear to come from the service you know they use and including their personal details in the email to make things much more convincing.

No, but there is a big difference between giving your personal details to your bank so you can take out a mortgage, and giving your details to dozens of strangers across many different centralized exchanges and services who are going to share and sell your data with a bunch of third parties, all of which have unknown (and often very poor) security practices.

BlockFi also state that the data "included" name, email and phone number for the "majority" of their users.

After Ledger Leak, nothing can surprise me anymore, it's only a matter of time before a company that keeps data is hacked, and then someone sells all the data or even publishes it publicly. As always, everything should be verified and no one should be trusted blindly - if you receive an email and you are not sure if it came from a legitimate source, ask for confirmation from the legitimate support of that company - and if you are sure it is phishing, save others by mark this mail as spam. That way, such emails will mostly end up in a spam folder where most will not even notice them.

As for calls and SMS, I suggest you block calls and messages from unknown numbers using apps that some smartphones already have, or look for a proven app in your app store. As a last resort, you can always change your e-mail address and phone number - the only problem is if your residential address has become publicly available, in which case pay attention to personal protection in terms of surveillance cameras, security doors, alarms, and self-defense firearms.

It's good that OP mentioned this data leak. At least people could be aware of it and prepare for it well before they are being scammed.
It's always better to double check the URLs we are logging into and bookmark the sites to be on the safer side.


What ? Is that even possible ? How can one possible change the from address in an email ?
It were so then every scammer would be doing it by now and we would be getting hundreds of fraud/scam complaints on daily basis.

Hubspot is really more of a CRM software SaaS for (inbound) marketing and sales and services. According to  this article (https://knowledge.hubspot.com/account/hubspot-cloud-infrastructure-and-data-hosting-frequently-asked-questions), customer data is stored on AWS. That means that the platforms hosts customer data for multiple clients, logically separated by different account credentials.

According to Hubspot’s press release (*), an employee account was compromised, allowing the hackers to obtain data from around 30 Hubspot accounts. An account is a Client (i.e. corporation), so it’s like stating that they may have information for a wide range of customers related to 30 different companies. Furthermore, their press release stated that the focus was on crypto companies, which were their customers, and as a result, information related to these companies’ customers are likely in possession of the hackers.

Allegedly, the information they obtained access to was contact data. Hubspot is often used to send people emails, letters, and attend their service tickets so although there is no public detail of the leaded information, the probable set is going to be in the line of name, surname, email, phone, addresses and so forth, but it will depend on what each company that using Hubspot gathered. We can see what their customer records looks like here:
https://knowledge.hubspot.com/contacts/hubspots-default-contact-properties
There could be more delicate data gathered in service records, but there is no public statement to this regards.

As stated in the OP, the most likely use of the information is going to be targeted phishing campaigns, whereby the emails can be tailored to address a person by his full name, relate them as being a customer of a given company (that they’d impersonate), and perhaps add some extra information from the customer record to make it more convincing – all with a call to action in a brief period of time from (phishing) email reception.


(*) See:
https://ir.hubspot.com/news/hubspots-statement-regarding-march-18-2022-security-incident
https://www.hubspot.com/en-us/march-2022-security-incident

Note:
If anybody wants to read a very entertaining book on working at Hubspot, from a 50+ year old’s perspective, here's a reference:
Dan Lyons – Disrupted -  My Misadventure in the Start-Up Bubble (2016, Hachette Books)

Edit: Allegedly, Pantera Capital is another of the corporations impacted.

That's a really disingenuous way of reporting that information by HubSpot. I'm sure many people reading "fewer than 30 HubSpot accounts" would think that fewer than 30 individuals have been affected. In reality a single account belonging to BlockFi could contain the data of many millions of users.

2 companies (BlockFi and Swan) out of ~30 certainly isn't "focusing" on crypto companies. Therefore, as I suspected in my initial post, there are almost certainly many other exchanges and services which have leaked customer data here. The fact we haven't seen more companies reporting this means that either their data handling practices are so bad they don't even know they have been affected, or they are deliberating choosing to keep users in the dark. I'm not sure which is worse.

It is becoming even more riskier releasing datas this days to centralized exchanges, not for the sake of avoiding the KYC verification process but for the ease to which this centralized exchange servers get hacked and compromised.

Hubspot was possibly a big catch for this hackers knowing how much data they had in their servers as a digital marketing hub and this won't stilll discourage crypto enthusiast from storing their coin with this centralized exchanges many still prefer it to having their full privacy

It has always been risky, data leaks have been happening right from mtgox till now, there will likewise be some that will even go unreported, so people who have their personal information with centralized services should be aware that it can be made public at anytime when a hack occurs, and another one surely will.
It is not only about storing their coins with centralized services, when this hacks occur, money is stolen, and personal information too, even if you don't lose money, you can lose your personal data, and with that a lot of negative things can be targeted at you, physical robbery inclusive.

This creates a very risky situation for the users affected. Most of the scam techniques used these days are commonly known and mostly targets newbies. But a personalized phishing attack and a fair bit of panic could fool even the most experienced users out there and this is only the least of concerns; More personalized hacking attempts could be attempted on affected accounts.

More situations like this would occur to dissuade users from submitting their details to random websites.

It is probably best to use a unique email address for each crypto-related service you sign up for, and to use a separate phone number for all your crypto-related services (using a unique number for each service is probably not practical).

Over time, there have been so many data breaches that if you have ever provided your information to a crypto service, you are going to be barraged with scam messages. I believe the most common tactic that scammers use is to send emails trying to get people to either provide their credentials or to send coin to an address owned by the scammers under the false pretext that the address belongs to a legitimate service.

Password reset attempts and SIM swap attacks (and similar) are still possible, but they are more difficult to do in masse.

Where is the database leak for ledger or blockfi?  Could you check if your email has been compromised?

BlockFI and Swan are just two of the companies that reported connection with HubSpot but who knows how many more of them are using them as well.
Leak data from several centralized exchanges, leak data from hardware wallet sellers and you have clear picture of what people are doing.

I just checked my old junk email and it's full with fake emails from Kucoin exchange that I don't even use.
Worst thing than receiving emails is getting phone calls are real letter on your home address, and this things happened with ledger leak before.
It's hard to live in modern world without some of this services but we can use alternative addresses and information to reduce risks.

Yup, confirmed per their recent tweet[1]. I think we can also assume that Unchained Capital[2] was also affected[3]. In my quest for affected companies I did found tweet[4] where a user stated that the twitter account of Sam Parr - he sold his business "The Hustle" to Hubspot last year[5] - was hacked around 12th of March. Coincidence?

---

While this may be a bit farfetched, you can find a list of case studies[6] that demonstrate the impact that HubSpot had in a particular company. I'm not saying that all of them got affected - it depends if they were still clients of them and such - but it does give you an idea of which clients they have/had. Interestingly enough they don't mention either BlockFi nor Swan so this is probably just a small sample of clients that they have interacted with ...

---

[1]https://nitter.net/panteracapital/status/1362140521800622080 (https://nitter.net/panteracapital/status/1362140521800622080)
[2]https://unchained.com/ (https://unchained.com/)
[3]https://nitter.net/lunasats/status/1505068248043343874 (https://nitter.net/lunasats/status/1505068248043343874)
[4]https://nitter.net/HubSpot/status/1502787560279576587 (https://nitter.net/HubSpot/status/1502787560279576587)
[5]https://www.hubspot.com/company-news/hubspot-signs-agreement-to-acquire-the-hustle-adding-content-to-help-scaling-companies-grow-better (https://www.hubspot.com/company-news/hubspot-signs-agreement-to-acquire-the-hustle-adding-content-to-help-scaling-companies-grow-better)
[6]https://www.hubspot.com/case-studies/directory (https://www.hubspot.com/case-studies/directory)

That tweet is over a year old, from a separate data breach. However, as per the emails going around, Pantera have indeed been affected this time as well: https://nitter.net/nina_kaplan/status/1505410357501870081. This email again seems to confirm what I said above: Names, email addresses, phone numbers, and physical addresses (as well as regulatory classification).

The tweet you shared from Unchained is about yet another separate data breach, this one from a marketing agency called ActiveCampaign. In addition to the information above, it also says IP addresses as well as information regarding users' loans has been leaked.

The bottom line is any information you give to a centralized exchange or service is highly likely to end up leaked across the entire internet sooner or later. Take that in to consideration next time you go handing out your personal details.

If you check websites like haveibeenpwned.com, you will see similar leaks are popping up all the time, and who knows how many more are unreported in public.
I noticed some of the most recent include cryptocurrency exchanges like BTC-Alpha and financial apps like Robinhood

- ZAP-Hosting
- CDEK
- Robinhood
- MacGeneration
- NVIDIA
- GiveSendGo
- RedDoorz
- BTC-Alpha
- ShockGore
- Open Subtitles
https://haveibeenpwned.com/

I agree with you totally on this, but people just don't listen until they get burned.
It's not hard to use alternative personal information like temp email, alternative phone number, PO box for you delivery address, etc.
Hardest thing would be to use alternative legal name, but that can also be arranged and it's not as dangerous as giving away other personal information I mentioned before.

Exactly. But still if the user is not clicking on the emails, the user is still perfectly fine, but this is the way many newbies are scammed because of little knowledge and ignorance of phishing attack. Although, if properly checked, it can still be known that it is a phishing attempt but it is just good to never click on emails not authorized for.

I wonder how it would be when many people that can do physical attacks would know how transaction is. Exchanges data leak is very common, it occcur all years. It can come to a time attackers will directly come to someone's home, telling him how data was breached on the exchange the prson is using and how they need to know his balance on the exchange. Even checking wallets and the likes. Transferring thcoins to a noncustododial wallet. This may seem impossible, but there is nothing impossible. I can remember some strangers were calling during ledger data breach about how they will visit victims home.

This was exactly how my first wallet was hacked in 2016, and even till today, what ever amount of Eth that goes into that wallet is immediately transfered to another wallet, I don't know how the scammer did it, but my guess is that he or she(what ever gender the person is) has a smart contract built which monitors his or her victims wallets addresses 24/7 and the contract is able to transfer to another wallet any amount of eth sent to their victims wallet.

I lost a good amount of money from the hack if I calculate by today's eth price, but the good thing is that I learnt, and I or anybody I know can never be victim to this kind of phishing attack again.

It looks like that I was able to miss most of my twitter findings regarding this particular breach, my bad! However I think we ought to see that this won't be the last time that a leak of private information will happen...
I would like to believe that most people would want to be cautious against sending their personal information to a random server but now, more than ever, I honestly don't believe that people care about it. They are willing to trade that little piece of private information that they have in exchange for whatever "goods" the service may give to them or that they may find useful. How many people do we known that blindly click on "Accept all conditions" whenever they are using their Facebook/Gmail/Random internet service account as a way to "register" to platforms? They are trading their information by a way to quickly register to a certain service, most of the time they don't even care to read what kind of information will they be trading for such a "process"...

---

This almost sound like a dystopian future but you're right, it did happened and it was scary as hell. Just imagine receiving an e-mail such as this[1] one. Sure it could be 100 % fake - the address ended up receiving less than 5 USD[2] - but what if it wasn't? Would you be willing to risk the safety of your family being full aware that your address and name was tied to a leak regarding Ledger product purchases? In at least one of the hacks we're talking about 270k users information that was leaked[3] and if we assume that most of the members had family and such, we're talking about jeopardizing the privacy/lifes of a handful of people around the globe.

On a related note, about one year ago - April 6th - a class action lawsuit was filled[4][5] by Schneider Wallace. As they put it "Plaintiffs allege Ledger and Shopify “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the data breach. The complaint was filed in the Northern District of California."[/li][/list] Looking forward for what may come out of it eventually...

---

[1]https://libreddit.spike.codes/r/ledgerwallet/comments/kh8q82/fantastic/ (https://libreddit.spike.codes/r/ledgerwallet/comments/kh8q82/fantastic/)
[2]https://blockchair.com/bitcoin/address/16Hg8rPPFRtqCjxpwibUnpd4uVVvNj5Gmz (https://blockchair.com/bitcoin/address/16Hg8rPPFRtqCjxpwibUnpd4uVVvNj5Gmz)
[3]https://cointelegraph.com/news/ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers (https://cointelegraph.com/news/ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers)
[4]https://www.schneiderwallace.com/media/ledger-shopify-class-action-lawsuit-data-breach-cover-up/ (https://www.schneiderwallace.com/media/ledger-shopify-class-action-lawsuit-data-breach-cover-up/)
[5]https://www.schneiderwallace.com/wp-content/uploads/2021/05/Chu-et-al-v.-Ledger-SAS-SWCK-Cryptocurrency-Lawsuit.pdf (https://www.schneiderwallace.com/wp-content/uploads/2021/05/Chu-et-al-v.-Ledger-SAS-SWCK-Cryptocurrency-Lawsuit.pdf)

Such set ups are quite common. Another common scam involving Ethereum addresses is for someone to publicly reveal the private key to an address which has a substantial amount of tokens on it (usually pretending it was an accident), and whenever anyone sends any ETH to the address to cover the gas fees to try to move the tokens, the ETH is immediately transferred out to another address. I don't really feel bad for these people who lose their ETH, though, since they were trying to steal the tokens in the first place.

It's far worse than that. People actually spend their money to bug their own houses with devices which listen to everything they say and even record their every movement, all so they can listen to a certain song without having to pick up their phone and tap the screen a few times. And then they act surprised when they get served ads for things they were talking about to their family. ::) And of course, all that recorded data is no more immune to hacks, leaks, or being sold than all the other data we are already discussing here.

Circle was apparently affected by this breach. According to Circle, "in the course of [their] marketing outreach initiativessic we received prospect data from various sources and stored that information in our HubSpot account".

This implies that someone's information being stored in CIrcles HubSpot account was not necessarily a function of having a Circle account, but rather was a function of the person's information being on some marketing list. If the above is true (and is true for other HubSpot clients), I would say the breach is likely not as serious as it may otherwise have been. It would mean that having your information in Circle's HubSpot account would not mean the person had a Circle account, and that there would be a lot of overlap between people in each HubSpot account.

And throw NYDIG (New York Digital Investment Group) in to the mix too, who are a provider of bitcoin and associated services to institutional clients. Still, we know that 30 companies were affected, and the attack was "focused on crypto related companies", so more names to come I'm sure.

Even if this is the case, this breach could still easily lead to someone losing their coins, and it will only be matter of time before the next breach which might include KYC documents, passwords, account balances, or who knows what else.

Another one of the back stage data leaks by the CRM company who provides services to the crypto companies and the fact which is not ignorant by us is that these centralised services will always find their profits at the first stage and sell your personal information without you knowing.

Even if we talk about such data breaches in other companies also then it's not new and they are summoned to respond to the allegations like meta,google apple all are collecting the user data and getting access to the files but in these crypto space this becomes more dangerous as you are no longer anonymous and your data is being used for different purposes.

We should be extra cautious because our security lies in our hand and most people can fall for these phising emails scam asking to fill out your password and other information being the orginal company mail but they are not so be careful with them.

As per them only 30 account have been compromised but they have still not given the full disclosure of the list to avoid any further defamations but you could probably come with some excuses to safeguard yourself like saying hackers got access to employees account through which this was possible.

They have also given the assurance that internal information is safe like pasword because Hubspot is external tool but still the email scams can compromise lot of information of the users in this industry stored on their storage.

These are the reasons we must always be cautious before signing up for any service and thanks to the forum that we have an idea about the ongoing fraudulent activities in this space and how to be safe from them.

You are right, this breach will likely (and likely already has) lead to some people losing coin via social engineering attacks. I think it is best to teach people how to spot these types of attacks, and how to protect themselves. While it is a laudable goal for people to not ever give any personal information to any company, and to have "100% privacy" I don't think this is a realistic goal.

It is not a matter of time before exchange breaches include password (hashes), account balances and similar, as this has happened in the past, multiple times. It is important that people are aware of the risk of their sensitive personal information leaking before giving it up to centralized exchanges.

I was just looking for information regarding the Passport discussion thread and I think that you'll like of what I found - just hear Zach Herbert opinion[1] regarding how people care about their data, I think you'll find a reply that's very close to what we've been discussing on this thread (and have discussed in the past). People will just be aware of how fragile their information on the internet is secured whenever they are deeply impacted by it. I can't tell you the times that many colleagues of mine just say "I don't care, I don't use it no more" whenever I show the results of multiple breaches of services attached to their e-mails on haveibeenpwned website... It just baffles me how careless they are with the single and most important piece of information that they may have as individuals...

---

[1]https://youtu.be/DFLte6GbCys?t=1314 (https://youtu.be/DFLte6GbCys?t=1314)

I have received lots of crypto spam emails, sms and even calls in the past few years because of ledger hacked, **too annoyed.

Now, now if i remember correctly i only use kucoin exchange (due to not requiting kyc) now if kucoin will admit that they use such platform, then it will be another wave of spams indeed which is too annoying in my part specially in a way of calls, which gives me worried answering even the legit calls from legit company.

As we discussed above, each account belongs to a company, and each company could store the data of millions of users.

This is particularly concerning behavior. If your data is compromised, at the very least you deserve to know about it. The fact we've only heard from five of these thirty companies is scandalous.

I should have been more clear - it's only a matter of time until the next KYC data breach. Obviously there have been countless in the past.

Everyone should be using disposable email accounts and phone numbers to be signing up for centralized exchanges, since they've shown time and again they cannot be trusted to protect your data.

An update from Swan Bitcoin: https://nitter.net/SwanBitcoin/status/1506355008127877123


So in this not-at-all-surprising twist, turns out (as with pretty much every data leak) that this leak was more serious than initially thought and contained some sensitive financial information on a number of users. How did HubSpot get access to this data when it wasn't supposed to happen? What other data did they have access to, and from which companies, that they weren't supposed to have access to?

They also state that "ten companies" have made public disclosures about this hack. I count five - BlockFi, Swan, Circle, Pantera, NYDIG. Who are the others?

Taking a big leap, but in order to make it more comprehensible by known association, HubSpot can be seen as a conceptual functional subset of what Salesforce is. That is to say, some companies use it (HubSpot) as their (minor) full-fledged CRM, and therefore, for any given lead or prospect qualification campaign, they may ask for specific information that is tailored to the campaign’s needs of information.

For example, one can easily envision how a given Swan Lead generation campaign asking their leads to provide their annual income, or another asking for the investment range. This data may be only demanded in certain campaigns, thus not found on all customer records (i.e. the small percentages they mention in their status release). This data will likely remain attached to the historical record of the person, as he moves from lead to prospect and then to client.

This sort of information can either be part of the predefined data fields defined in the CRM (see the default contact details here (https://knowledge.hubspot.com/contacts/hubspots-default-contact-properties?_ga=2.135700019.341006870.1586180142-500942594.1573763828)), or managed and stored through added custom fields (see here (https://knowledge.hubspot.com/crm-setup/manage-your-properties?_ga=2.135700019.341006870.1586180142-500942594.1573763828#create-custom-properties)). This is all part of the contact data record, which APIs can give access to with more or less effort and understanding.

I haven’t seen the complete list of names of the 30 or so companies affected by the leak. I wouldn’t expect Hubspot to release it to the public, but rather it should be each affected company that contacts its own user base. There are normally regulations that delimit the timeframe to divulge this information to those affected users, as well as ethical and early alert considerations.
 
Judging by the time that has gone by, albeit it not being tremendous, it should have been paramount for companies to have contacted their own set of customers on the matter at hand by now. It should, therefore, probably be known by now to the general public, derived from public reports made from notified customers. The fact that the complete list of 30 or so companies it yet not known, suggests that some are taking way too long to do their part ...