Another day, another data leak - more phishing likely

[o_e_l_e_o]

HubSpot are a marketing agency. They collect data and use it to serve you ads, social media marketing, various content, and what not. Yesterday, they were hacked, resulting in the theft of the personal information of an unknown number of people - name, address, email, phone number, etc.

Why should you care? Because it turns out a variety of centralized crypto services have been sharing/selling your data with/to this marketing agency.
Here's the tweet from BlockFi confirming their users are affected: https://nitter.net/BlockFi/status/1504982848771608586
And another tweet from Swan: https://nitter.net/SwanBitcoin/status/1505261139571191813

No doubt we will see more crypto services admitting they were also handing your data over to HubSpot in the coming days.

Users affected can expect phishing emails at the very least pretending to be from these companies and trying to get users to hand over account credentials or seed phrases or complete password resets. I'd also be concerned about SMS phishing or SIM swap attacks, as well as attempted forced access to email and other accounts. More complex phishing attempts could also be attempted, such as those that we saw after the Ledger data leak.

Just another one of the many risks you take when you hand over your personal information to centralized services.

[1715120478]

1715120478

[BitcoinGirl.Club]

Users affected can expect phishing emails at the very least pretending to be from these companies and trying to get users to hand over account credentials or seed phrases or complete password resets.

In my email I have received email from Electrum, ledger and other kind of wallets asking for verify my wallet or I will lose my wallet access. The email is written is a way that an inexperience user will defiantly fall for the trap. Someone with experience will know that there are no centralized service for your desktop and hardware wallets so there are nothing such can happen. So obviously this is a scam and the email has phishing link to steal your private key and seed.

But...
Imagine you have account with Binance. You have not KYCed you account. An email from binance official (email containing the domain name binance.com. For example xyz@binance.com) asking your to KYC your account and to do that they have given a link button in the email. They also said if you do not do it immediately then they will freeze your assets. What would you do?

You will click the link button, login and WTF! Using a script one can easily send email using any email address in the from field. So receiving email from xyz@binance.com does not mean that the email came from Binance.

So these days receiving an email means this could be a nuclear bomb for you. If you handle it without care then this might destroy everything for you. The sad part? No one will know about it and can do anything about it.

When you are with any financial institute or with any important business, always save their main URL in a document. Always login from those saved URLs instead of logging in from any link that came in the email or SMS.

Just another one of the many risks you take when you hand over your personal information to centralized services.

This is time for information, an era of information. There are many service you will need in your life and they will take your personal information. You can not avoid it sadly. The only way for us is to be aware, and to be educated to avoid any accident.

Good topic by the way.

[pakhitheboss]

One of the most common phishing emails that anyone will receive is to verify their Metamask wallet.



Any newbie can easily fall for the above scam. They use the KYC trick to lure newbies to click on the blue button. Be careful with such emails and delete them whenever anyone receives such mails.

[rat03gopoh]

But...
Imagine you have account with Binance. You have not KYCed you account. An email from binance official (email containing the domain name binance.com. For example xyz@binance.com) asking your to KYC your account and to do that they have given a link button in the email. They also said if you do not do it immediately then they will freeze your assets. What would you do?

For me, that's easy to realize. My habit is that I won't log into any account on 2 or more different devices.
If that link redirects me to the Binance page in the logged in state, I'll check a few other subpages especially the notifications and withdrawal history page before I assume it's really not phishing.

[o_e_l_e_o]

Imagine you have account with Binance. You have not KYCed you account. An email from binance official (email containing the domain name binance.com. For example xyz@binance.com) asking your to KYC your account and to do that they have given a link button in the email. They also said if you do not do it immediately then they will freeze your assets. What would you do?

Yeah, that's the difference. Anyone can send round a mass email instructing people to verify their seed phrase or something equally stupid. But once you have the personal details of a person from a service you know they use, then you can specifically target them, making the email appear to come from the service you know they use and including their personal details in the email to make things much more convincing.

There are many service you will need in your life and they will take your personal information. You can not avoid it sadly.

No, but there is a big difference between giving your personal details to your bank so you can take out a mortgage, and giving your details to dozens of strangers across many different centralized exchanges and services who are going to share and sell your data with a bunch of third parties, all of which have unknown (and often very poor) security practices.

Based on your example, looks like only Swan Bitcoin who mention it.

BlockFi also state that the data "included" name, email and phone number for the "majority" of their users.

[Lucius]

After Ledger Leak, nothing can surprise me anymore, it's only a matter of time before a company that keeps data is hacked, and then someone sells all the data or even publishes it publicly. As always, everything should be verified and no one should be trusted blindly - if you receive an email and you are not sure if it came from a legitimate source, ask for confirmation from the legitimate support of that company - and if you are sure it is phishing, save others by mark this mail as spam. That way, such emails will mostly end up in a spam folder where most will not even notice them.

As for calls and SMS, I suggest you block calls and messages from unknown numbers using apps that some smartphones already have, or look for a proven app in your app store. As a last resort, you can always change your e-mail address and phone number - the only problem is if your residential address has become publicly available, in which case pay attention to personal protection in terms of surveillance cameras, security doors, alarms, and self-defense firearms.

[pawanjain]

It's good that OP mentioned this data leak. At least people could be aware of it and prepare for it well before they are being scammed.
It's always better to double check the URLs we are logging into and bookmark the sites to be on the safer side.

You will click the link button, login and WTF! Using a script one can easily send email using any email address in the from field. So receiving email from xyz@binance.com does not mean that the email came from Binance.

What ? Is that even possible ? How can one possible change the from address in an email ?
It were so then every scammer would be doing it by now and we would be getting hundreds of fraud/scam complaints on daily basis.

[DdmrDdmr]

Hubspot is really more of a CRM software SaaS for (inbound) marketing and sales and services. According to this article, customer data is stored on AWS. That means that the platforms hosts customer data for multiple clients, logically separated by different account credentials.

According to Hubspot’s press release (*), an employee account was compromised, allowing the hackers to obtain data from around 30 Hubspot accounts. An account is a Client (i.e. corporation), so it’s like stating that they may have information for a wide range of customers related to 30 different companies. Furthermore, their press release stated that the focus was on crypto companies, which were their customers, and as a result, information related to these companies’ customers are likely in possession of the hackers.

Allegedly, the information they obtained access to was contact data. Hubspot is often used to send people emails, letters, and attend their service tickets so although there is no public detail of the leaded information, the probable set is going to be in the line of name, surname, email, phone, addresses and so forth, but it will depend on what each company that using Hubspot gathered. We can see what their customer records looks like here:
https://knowledge.hubspot.com/contacts/hubspots-default-contact-properties
There could be more delicate data gathered in service records, but there is no public statement to this regards.

As stated in the OP, the most likely use of the information is going to be targeted phishing campaigns, whereby the emails can be tailored to address a person by his full name, relate them as being a customer of a given company (that they’d impersonate), and perhaps add some extra information from the customer record to make it more convincing – all with a call to action in a brief period of time from (phishing) email reception.


(*) See:
https://ir.hubspot.com/news/hubspots-statement-regarding-march-18-2022-security-incident
https://www.hubspot.com/en-us/march-2022-security-incident

Note:
If anybody wants to read a very entertaining book on working at Hubspot, from a 50+ year old’s perspective, here's a reference:
Dan Lyons – Disrupted -  My Misadventure in the Start-Up Bubble (2016, Hachette Books)

Edit: Allegedly, Pantera Capital is another of the corporations impacted.

[o_e_l_e_o]

According to Hubspot’s press release (*), an employee account was compromised, allowing the hackers to obtain data from around 30 Hubspot accounts. An account is a Client (i.e. corporation), so it’s like stating that they may have information for a wide range of customers related to 30 different companies.

That's a really disingenuous way of reporting that information by HubSpot. I'm sure many people reading "fewer than 30 HubSpot accounts" would think that fewer than 30 individuals have been affected. In reality a single account belonging to BlockFi could contain the data of many millions of users.

Furthermore, their press release stated that the focus was on crypto companies, which were their customers, and as a result, information related to these companies’ customers are likely in possession of the hackers.

2 companies (BlockFi and Swan) out of ~30 certainly isn't "focusing" on crypto companies. Therefore, as I suspected in my initial post, there are almost certainly many other exchanges and services which have leaked customer data here. The fact we haven't seen more companies reporting this means that either their data handling practices are so bad they don't even know they have been affected, or they are deliberating choosing to keep users in the dark. I'm not sure which is worse.

[dbc23]

It is becoming even more riskier releasing datas this days to centralized exchanges, not for the sake of avoiding the KYC verification process but for the ease to which this centralized exchange servers get hacked and compromised.

Hubspot was possibly a big catch for this hackers knowing how much data they had in their servers as a digital marketing hub and this won't stilll discourage crypto enthusiast from storing their coin with this centralized exchanges many still prefer it to having their full privacy

[Z-tight]

It is becoming even more riskier releasing datas this days to centralized exchanges, not for the sake of avoiding the KYC verification process but for the ease to which this centralized exchange servers get hacked and compromised.

It has always been risky, data leaks have been happening right from mtgox till now, there will likewise be some that will even go unreported, so people who have their personal information with centralized services should be aware that it can be made public at anytime when a hack occurs, and another one surely will.

and this won't stilll discourage crypto enthusiast from storing their coin with this centralized exchanges many still prefer it to having their full privacy

It is not only about storing their coins with centralized services, when this hacks occur, money is stolen, and personal information too, even if you don't lose money, you can lose your personal data, and with that a lot of negative things can be targeted at you, physical robbery inclusive.

[Upgrade00]

As stated in the OP, the most likely use of the information is going to be targeted phishing campaigns, whereby the emails can be tailored to address a person by his full name, relate them as being a customer of a given company (that they’d impersonate), and perhaps add some extra information from the customer record to make it more convincing – all with a call to action in a brief period of time from (phishing) email reception.

This creates a very risky situation for the users affected. Most of the scam techniques used these days are commonly known and mostly targets newbies. But a personalized phishing attack and a fair bit of panic could fool even the most experienced users out there and this is only the least of concerns; More personalized hacking attempts could be attempted on affected accounts.

More situations like this would occur to dissuade users from submitting their details to random websites.

[PrimeNumber7]

Users affected can expect phishing emails at the very least pretending to be from these companies and trying to get users to hand over account credentials or seed phrases or complete password resets. I'd also be concerned about SMS phishing or SIM swap attacks, as well as attempted forced access to email and other accounts. More complex phishing attempts could also be attempted, such as those that we saw after the Ledger data leak.

It is probably best to use a unique email address for each crypto-related service you sign up for, and to use a separate phone number for all your crypto-related services (using a unique number for each service is probably not practical).

Over time, there have been so many data breaches that if you have ever provided your information to a crypto service, you are going to be barraged with scam messages. I believe the most common tactic that scammers use is to send emails trying to get people to either provide their credentials or to send coin to an address owned by the scammers under the false pretext that the address belongs to a legitimate service.

Password reset attempts and SIM swap attacks (and similar) are still possible, but they are more difficult to do in masse.

[jerry0]

Where is the database leak for ledger or blockfi?  Could you check if your email has been compromised?

[dkbit98]

Why should you care? Because it turns out a variety of centralized crypto services have been sharing/selling your data with/to this marketing agency.

BlockFI and Swan are just two of the companies that reported connection with HubSpot but who knows how many more of them are using them as well.
Leak data from several centralized exchanges, leak data from hardware wallet sellers and you have clear picture of what people are doing.

Users affected can expect phishing emails at the very least pretending to be from these companies and trying to get users to hand over account credentials or seed phrases or complete password resets. I'd also be concerned about SMS phishing or SIM swap attacks, as well as attempted forced access to email and other accounts. More complex phishing attempts could also be attempted, such as those that we saw after the Ledger data leak.

I just checked my old junk email and it's full with fake emails from Kucoin exchange that I don't even use.
Worst thing than receiving emails is getting phone calls are real letter on your home address, and this things happened with ledger leak before.
It's hard to live in modern world without some of this services but we can use alternative addresses and information to reduce risks.

[RickDeckard]

Edit: Allegedly, Pantera Capital is another of the corporations impacted.

Yup, confirmed per their recent tweet[1]. I think we can also assume that Unchained Capital[2] was also affected[3]. In my quest for affected companies I did found tweet[4] where a user stated that the twitter account of Sam Parr - he sold his business "The Hustle" to Hubspot last year[5] - was hacked around 12th of March. Coincidence?

Why should you care? Because it turns out a variety of centralized crypto services have been sharing/selling your data with/to this marketing agency.

BlockFI and Swan are just two of the companies that reported connection with HubSpot but who knows how many more of them are using them as well.

While this may be a bit farfetched, you can find a list of case studies[6] that demonstrate the impact that HubSpot had in a particular company. I'm not saying that all of them got affected - it depends if they were still clients of them and such - but it does give you an idea of which clients they have/had. Interestingly enough they don't mention either BlockFi nor Swan so this is probably just a small sample of clients that they have interacted with ...
[1]https://nitter.net/panteracapital/status/1362140521800622080
[2]https://unchained.com/
[3]https://nitter.net/lunasats/status/1505068248043343874
[4]https://nitter.net/HubSpot/status/1502787560279576587
[5]https://www.hubspot.com/company-news/hubspot-signs-agreement-to-acquire-the-hustle-adding-content-to-help-scaling-companies-grow-better
[6]https://www.hubspot.com/case-studies/directory

[o_e_l_e_o]

Yup, confirmed per their recent tweet[1].

That tweet is over a year old, from a separate data breach. However, as per the emails going around, Pantera have indeed been affected this time as well: https://nitter.net/nina_kaplan/status/1505410357501870081. This email again seems to confirm what I said above: Names, email addresses, phone numbers, and physical addresses (as well as regulatory classification).

The tweet you shared from Unchained is about yet another separate data breach, this one from a marketing agency called ActiveCampaign. In addition to the information above, it also says IP addresses as well as information regarding users' loans has been leaked.

The bottom line is any information you give to a centralized exchange or service is highly likely to end up leaked across the entire internet sooner or later. Take that in to consideration next time you go handing out your personal details.

[dkbit98]

While this may be a bit farfetched, you can find a list of case studies[6] that demonstrate the impact that HubSpot had in a particular company. I'm not saying that all of them got affected - it depends if they were still clients of them and such - but it does give you an idea of which clients they have/had. Interestingly enough they don't mention either BlockFi nor Swan so this is probably just a small sample of clients that they have interacted with ...

If you check websites like haveibeenpwned.com, you will see similar leaks are popping up all the time, and who knows how many more are unreported in public.
I noticed some of the most recent include cryptocurrency exchanges like BTC-Alpha and financial apps like Robinhood

- ZAP-Hosting
- CDEK
- Robinhood
- MacGeneration
- NVIDIA
- GiveSendGo
- RedDoorz
- BTC-Alpha
- ShockGore
- Open Subtitles
https://haveibeenpwned.com/

The bottom line is any information you give to a centralized exchange or service is highly likely to end up leaked across the entire internet sooner or later. Take that in to consideration next time you go handing out your personal details.

I agree with you totally on this, but people just don't listen until they get burned.
It's not hard to use alternative personal information like temp email, alternative phone number, PO box for you delivery address, etc.
Hardest thing would be to use alternative legal name, but that can also be arranged and it's not as dangerous as giving away other personal information I mentioned before.

[Charles-Tim]

But once you have the personal details of a person from a service you know they use, then you can specifically target them, making the email appear to come from the service you know they use and including their personal details in the email to make things much more convincing.

Exactly. But still if the user is not clicking on the emails, the user is still perfectly fine, but this is the way many newbies are scammed because of little knowledge and ignorance of phishing attack. Although, if properly checked, it can still be known that it is a phishing attempt but it is just good to never click on emails not authorized for.

I wonder how it would be when many people that can do physical attacks would know how transaction is. Exchanges data leak is very common, it occcur all years. It can come to a time attackers will directly come to someone's home, telling him how data was breached on the exchange the prson is using and how they need to know his balance on the exchange. Even checking wallets and the likes. Transferring thcoins to a noncustododial wallet. This may seem impossible, but there is nothing impossible. I can remember some strangers were calling during ledger data breach about how they will visit victims home.

[Fivestar4everMVP]

One of the most common phishing emails that anyone will receive is to verify their Metamask wallet.



Any newbie can easily fall for the above scam. They use the KYC trick to lure newbies to click on the blue button. Be careful with such emails and delete them whenever anyone receives such mails.

This was exactly how my first wallet was hacked in 2016, and even till today, what ever amount of Eth that goes into that wallet is immediately transfered to another wallet, I don't know how the scammer did it, but my guess is that he or she(what ever gender the person is) has a smart contract built which monitors his or her victims wallets addresses 24/7 and the contract is able to transfer to another wallet any amount of eth sent to their victims wallet.

I lost a good amount of money from the hack if I calculate by today's eth price, but the good thing is that I learnt, and I or anybody I know can never be victim to this kind of phishing attack again.