[Be Aware]: Celsius email security breach

[cryptomaniac_xxx]

What happened:

On April 14, 2021, Celsius customers began reporting a fraudulent website claiming to be an official Celsius platform. We also became aware of some Celsius customers receiving SMS and email messages, that claimed to be official Celsius communication, linking to that website, and prompting recipients to enter sensitive information.

https://twitter.com/cinvestor85/status/1382575876592726020

So if anyone of you click on that link:

Code:

celsiuswallet[.]network

It's an obvious phishing link, I do hope that no one from this community has fallen for this trick.

What we know:

An unauthorized party managed to gain access to a back-up third-party email distribution system which had connections to a partial customer email list. Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers.

The intent was to make the recipients believe the fraudulent email came from Celsius, that the fraudulent site was a true Celsius site, and to take ownership of recipients’ cryptocurrency assets from their personal (non-Celsius) wallet by prompting the user to provide the seed phrase to their personal wallet address.

https://celsiusnetwork.medium.com/celsius-security-notice-april-2021-154a587f7ca3

[pakhitheboss]

The question is how these scammers were able to get phone numbers?

Receiving random scam emails is common nowadays but receiving SMS is quite strange. Are they hiding something! I suspect they might have got hacked otherwise how is it possible to receive SMS?

On April 14, 2021, Celsius customers began reporting a fraudulent website claiming to be an official Celsius platform.

Celsius customers are receiving fraudulent emails and SMS and not random users.

[Pmalek]

The question is how these scammers were able to get phone numbers?

Maybe the database the scammers got their hands on contained registered phone numbers and email addresses as well. In their security report, they mentioned there is a possibility that an external third-party database got hacked because some users who didn't register a phone or email also received the notifications. 

Our team is actively working to understand how the unauthorized party managed to gain access to the third-party email distribution system and the source of the list used to send fraudulent communications via SMS.

We are checking with all of our third-party vendors and within other recent external/public data leaks to understand where this information came from and if third-party platforms have been vulnerable to any related incidents. We know that customers who had not registered an email or phone number with Celsius also received fraudulent messages to these contact details, thus we believe the data was collected from external data sources.

https://celsiusnetwork.medium.com/celsius-security-notice-april-2021-154a587f7ca3

[bitcoinVPSD]

they mentioned there is a possibility that an external third-party database got hacked because some users who didn't register a phone or email also received the notifications. 

I have a question, if what they say is true, how would a third party gain access to their customer database? Customer data is often kept private in their platform, how is it provided to a third party?

[Pmalek]

 I have a question, if what they say is true, how would a third party gain access to their customer database? Customer data is often kept private in their platform, how is it provided to a third party?

Many companies and platforms outsource these things to third parties. Maybe you remember the leek of Ledger customer data. Their partner Shopify got hacked. Among the 200 customers that relied on Shopify was also Ledger. I am not sure what Celsius does exactly, but if they conducted KYC on their customers, these procedure was probably outsourced to someone else. The database of that third/party could have been hijacked. Then you have things like marketing data, newsletters, or ads. The more data that is kept, the bigger the possibility that some of it gets illegally obtained at one time in the future. 

[mk4]

they mentioned there is a possibility that an external third-party database got hacked because some users who didn't register a phone or email also received the notifications. 

I have a question, if what they say is true, how would a third party gain access to their customer database? Customer data is often kept private in their platform, how is it provided to a third party?

What Pmalek said. And since what was breached was an email distribution system(as per the Medium article), then I could almost guarantee that this was a 3rd party marketing software/platform; something like Mailchimp or ConvertKit.

[Lafu]

Many companies and platforms outsource these things to third parties. Maybe you remember the leek of Ledger customer data.

Exactly that is the Problem with Email data or KYC data files or any other personal detail Information,
the most companies and platforms dont want to pay or invest a lot of money for doing there one service on this.
So more partys are involved in such kind of things , so bigger the chance is that something like this happend.
The worst partys the Marketing ones , a lot of them sell the data in background for big money.

[mk4]

Exactly that is the Problem with Email data or KYC data files or any other personal detail Information,
the most companies and platforms dont want to pay or invest a lot of money for doing there one service on this.
So more partys are involved in such kind of things , so bigger the chance is that something like this happend.
The worst partys the Marketing ones , a lot of them sell the data in background for big money.

Though I can't speak for the case of Celsius, I have experience running multiple small businesses. And while it's definitely a KYC nightmare, it's going to be pretty difficult to run marketing campaigns without entrusting customer contact information(email, mobile#) to 3rd party platforms unfortunately if you don't have a mid-large company budget. It's pretty much the only feasible solution unfortunately; because it's simply the far feasible solution than creating everything from scratch.

[PrimeNumber7]

So if anyone of you click on that link:

Code:

celsiuswallet[.]network

It's an obvious phishing link, I do hope that no one from this community has fallen for this trick.

It is a phishing link, but it is not obvious to everyone. The domain is similar to the domain for the "real" celsius website, and a casual user who does not frequently visit their website may not notice the difference.