Another day, another data leak - more phishing likely

[RickDeckard]

Yup, confirmed per their recent tweet[1].

That tweet is over a year old, from a separate data breach. However, as per the emails going around, Pantera have indeed been affected this time as well: https://nitter.net/nina_kaplan/status/1505410357501870081. This email again seems to confirm what I said above: Names, email addresses, phone numbers, and physical addresses (as well as regulatory classification).

The tweet you shared from Unchained is about yet another separate data breach, this one from a marketing agency called ActiveCampaign. In addition to the information above, it also says IP addresses as well as information regarding users' loans has been leaked.[/url]

It looks like that I was able to miss most of my twitter findings regarding this particular breach, my bad! However I think we ought to see that this won't be the last time that a leak of private information will happen...

The bottom line is any information you give to a centralized exchange or service is highly likely to end up leaked across the entire internet sooner or later. Take that in to consideration next time you go handing out your personal details.

I would like to believe that most people would want to be cautious against sending their personal information to a random server but now, more than ever, I honestly don't believe that people care about it. They are willing to trade that little piece of private information that they have in exchange for whatever "goods" the service may give to them or that they may find useful. How many people do we known that blindly click on "Accept all conditions" whenever they are using their Facebook/Gmail/Random internet service account as a way to "register" to platforms? They are trading their information by a way to quickly register to a certain service, most of the time they don't even care to read what kind of information will they be trading for such a "process"...

(snip) I can remember some strangers were calling during ledger data breach about how they will visit victims home.

This almost sound like a dystopian future but you're right, it did happened and it was scary as hell. Just imagine receiving an e-mail such as this[1] one. Sure it could be 100 % fake - the address ended up receiving less than 5 USD[2] - but what if it wasn't? Would you be willing to risk the safety of your family being full aware that your address and name was tied to a leak regarding Ledger product purchases? In at least one of the hacks we're talking about 270k users information that was leaked[3] and if we assume that most of the members had family and such, we're talking about jeopardizing the privacy/lifes of a handful of people around the globe.

On a related note, about one year ago - April 6th - a class action lawsuit was filled[4][5] by Schneider Wallace. As they put it "Plaintiffs allege Ledger and Shopify “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the data breach. The complaint was filed in the Northern District of California."[/li][/list] Looking forward for what may come out of it eventually...
[1]https://libreddit.spike.codes/r/ledgerwallet/comments/kh8q82/fantastic/
[2]https://blockchair.com/bitcoin/address/16Hg8rPPFRtqCjxpwibUnpd4uVVvNj5Gmz
[3]https://cointelegraph.com/news/ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers
[4]https://www.schneiderwallace.com/media/ledger-shopify-class-action-lawsuit-data-breach-cover-up/
[5]https://www.schneiderwallace.com/wp-content/uploads/2021/05/Chu-et-al-v.-Ledger-SAS-SWCK-Cryptocurrency-Lawsuit.pdf

[1715362691]

1715362691

[1715362691]

1715362691

[o_e_l_e_o]

I don't know how the scammer did it, but my guess is that he or she(what ever gender the person is) has a smart contract built which monitors his or her victims wallets addresses 24/7 and the contract is able to transfer to another wallet any amount of eth sent to their victims wallet.

Such set ups are quite common. Another common scam involving Ethereum addresses is for someone to publicly reveal the private key to an address which has a substantial amount of tokens on it (usually pretending it was an accident), and whenever anyone sends any ETH to the address to cover the gas fees to try to move the tokens, the ETH is immediately transferred out to another address. I don't really feel bad for these people who lose their ETH, though, since they were trying to steal the tokens in the first place.

They are trading their information by a way to quickly register to a certain service, most of the time they don't even care to read what kind of information will they be trading for such a "process"...

It's far worse than that. People actually spend their money to bug their own houses with devices which listen to everything they say and even record their every movement, all so they can listen to a certain song without having to pick up their phone and tap the screen a few times. And then they act surprised when they get served ads for things they were talking about to their family. And of course, all that recorded data is no more immune to hacks, leaks, or being sold than all the other data we are already discussing here.

[PrimeNumber7]

Circle was apparently affected by this breach. According to Circle, "in the course of [their] marketing outreach initiativessic we received prospect data from various sources and stored that information in our HubSpot account".

This implies that someone's information being stored in CIrcles HubSpot account was not necessarily a function of having a Circle account, but rather was a function of the person's information being on some marketing list. If the above is true (and is true for other HubSpot clients), I would say the breach is likely not as serious as it may otherwise have been. It would mean that having your information in Circle's HubSpot account would not mean the person had a Circle account, and that there would be a lot of overlap between people in each HubSpot account.

[o_e_l_e_o]

And throw NYDIG (New York Digital Investment Group) in to the mix too, who are a provider of bitcoin and associated services to institutional clients. Still, we know that 30 companies were affected, and the attack was "focused on crypto related companies", so more names to come I'm sure.

I would say the breach is likely not as serious as it may otherwise have been.

Even if this is the case, this breach could still easily lead to someone losing their coins, and it will only be matter of time before the next breach which might include KYC documents, passwords, account balances, or who knows what else.

[aysg76]

Another one of the back stage data leaks by the CRM company who provides services to the crypto companies and the fact which is not ignorant by us is that these centralised services will always find their profits at the first stage and sell your personal information without you knowing.

Even if we talk about such data breaches in other companies also then it's not new and they are summoned to respond to the allegations like meta,google apple all are collecting the user data and getting access to the files but in these crypto space this becomes more dangerous as you are no longer anonymous and your data is being used for different purposes.

We should be extra cautious because our security lies in our hand and most people can fall for these phising emails scam asking to fill out your password and other information being the orginal company mail but they are not so be careful with them.

~snip~

As per them only 30 account have been compromised but they have still not given the full disclosure of the list to avoid any further defamations but you could probably come with some excuses to safeguard yourself like saying hackers got access to employees account through which this was possible.

They have also given the assurance that internal information is safe like pasword because Hubspot is external tool but still the email scams can compromise lot of information of the users in this industry stored on their storage.

These are the reasons we must always be cautious before signing up for any service and thanks to the forum that we have an idea about the ongoing fraudulent activities in this space and how to be safe from them.

[PrimeNumber7]

I would say the breach is likely not as serious as it may otherwise have been.

Even if this is the case, this breach could still easily lead to someone losing their coins, and it will only be matter of time before the next breach which might include KYC documents, passwords, account balances, or who knows what else.

You are right, this breach will likely (and likely already has) lead to some people losing coin via social engineering attacks. I think it is best to teach people how to spot these types of attacks, and how to protect themselves. While it is a laudable goal for people to not ever give any personal information to any company, and to have "100% privacy" I don't think this is a realistic goal.

It is not a matter of time before exchange breaches include password (hashes), account balances and similar, as this has happened in the past, multiple times. It is important that people are aware of the risk of their sensitive personal information leaking before giving it up to centralized exchanges.

[RickDeckard]

Even if this is the case, this breach could still easily lead to someone losing their coins, and it will only be matter of time before the next breach which might include KYC documents, passwords, account balances, or who knows what else.

I was just looking for information regarding the Passport discussion thread and I think that you'll like of what I found - just hear Zach Herbert opinion[1] regarding how people care about their data, I think you'll find a reply that's very close to what we've been discussing on this thread (and have discussed in the past). People will just be aware of how fragile their information on the internet is secured whenever they are deeply impacted by it. I can't tell you the times that many colleagues of mine just say "I don't care, I don't use it no more" whenever I show the results of multiple breaches of services attached to their e-mails on haveibeenpwned website... It just baffles me how careless they are with the single and most important piece of information that they may have as individuals...
[1]https://youtu.be/DFLte6GbCys?t=1314

[PX-Z]

I have received lots of crypto spam emails, sms and even calls in the past few years because of ledger hacked, **too annoyed.

Now, now if i remember correctly i only use kucoin exchange (due to not requiting kyc) now if kucoin will admit that they use such platform, then it will be another wave of spams indeed which is too annoying in my part specially in a way of calls, which gives me worried answering even the legit calls from legit company.

[o_e_l_e_o]

As per them only 30 account have been compromised

As we discussed above, each account belongs to a company, and each company could store the data of millions of users.

but they have still not given the full disclosure of the list to avoid any further defamations

This is particularly concerning behavior. If your data is compromised, at the very least you deserve to know about it. The fact we've only heard from five of these thirty companies is scandalous.

It is not a matter of time before exchange breaches include password (hashes), account balances and similar, as this has happened in the past, multiple times.

I should have been more clear - it's only a matter of time until the next KYC data breach. Obviously there have been countless in the past.

then it will be another wave of spams indeed which is too annoying in my part specially in a way of calls, which gives me worried answering even the legit calls from legit company.

Everyone should be using disposable email accounts and phone numbers to be signing up for centralized exchanges, since they've shown time and again they cannot be trusted to protect your data.

[o_e_l_e_o]

An update from Swan Bitcoin: https://nitter.net/SwanBitcoin/status/1506355008127877123

Approximately 0.2% of the dataset included a limited historical snapshot of USD deposits. The inclusion of this data occurred against company policy, and we have conducted a full post-mortem to ensure this cannot happen in the future.

Approximately 1.2% of the dataset included clients' intended investment range or the median net worth of their approximate geographic area.

So in this not-at-all-surprising twist, turns out (as with pretty much every data leak) that this leak was more serious than initially thought and contained some sensitive financial information on a number of users. How did HubSpot get access to this data when it wasn't supposed to happen? What other data did they have access to, and from which companies, that they weren't supposed to have access to?

They also state that "ten companies" have made public disclosures about this hack. I count five - BlockFi, Swan, Circle, Pantera, NYDIG. Who are the others?

[DdmrDdmr]

Taking a big leap, but in order to make it more comprehensible by known association, HubSpot can be seen as a conceptual functional subset of what Salesforce is. That is to say, some companies use it (HubSpot) as their (minor) full-fledged CRM, and therefore, for any given lead or prospect qualification campaign, they may ask for specific information that is tailored to the campaign’s needs of information.

For example, one can easily envision how a given Swan Lead generation campaign asking their leads to provide their annual income, or another asking for the investment range. This data may be only demanded in certain campaigns, thus not found on all customer records (i.e. the small percentages they mention in their status release). This data will likely remain attached to the historical record of the person, as he moves from lead to prospect and then to client.

This sort of information can either be part of the predefined data fields defined in the CRM (see the default contact details here), or managed and stored through added custom fields (see here). This is all part of the contact data record, which APIs can give access to with more or less effort and understanding.

I haven’t seen the complete list of names of the 30 or so companies affected by the leak. I wouldn’t expect Hubspot to release it to the public, but rather it should be each affected company that contacts its own user base. There are normally regulations that delimit the timeframe to divulge this information to those affected users, as well as ethical and early alert considerations.
 
Judging by the time that has gone by, albeit it not being tremendous, it should have been paramount for companies to have contacted their own set of customers on the matter at hand by now. It should, therefore, probably be known by now to the general public, derived from public reports made from notified customers. The fact that the complete list of 30 or so companies it yet not known, suggests that some are taking way too long to do their part ...