As a third-party BlockFi provider, Hubspot stored user data such as names, email addresses, and phone numbers, historically used for phishing attacks.
New Jersey-based cryptocurrency financial institution BlockFi has confirmed a data breach incident through one of its third-party providers, Hubspot. BlockFi’s proactive warning about the breach attempts to deter bad actors from reusing user data for fraudulent activities.
BlockFi’s Announcement
According to the announcement, hackers accessed BlockFi customer data on Friday, March 18, stored on Hubspot, a client relationship management platform. Such announcement reads, “Hubspot has confirmed that an unauthorized third party accessed certain BlockFi customer data hosted on its platform.”
As a third-party provider to BlockFi, Hubspot stored user data such as names, email addresses, and phone numbers. Historically, bad actors have used such information to conduct phishing attacks and gain access to accounts through user-provided passwords.
On Twitter, BlockFi assured that their “internal systems and client funds are safeguarded and were not impacted.”
At the time of this writing, BlockFi is supporting Hubspot’s research to gain clarity on the overall impact of the data breach. While the exact details of the breached data have yet to be identified and disclosed, BlockFi reassured users by noting that personal data – including passwords, government-issued IDs, and social security numbers – “was never stored at Hubspot.”
Additionally, BlockFi has confirmed that there was no access to its internal system and customer funds and that the breach is limited to the third-party provider, Hubspot.
BlockFi’s Recommendations
The company recommended four methods to help users protect their online presence from bad actors: good password hygiene, two-factor authentication (2FA), trusted app listings, and vigilance against scammers. We comment on these below:
Good password hygiene refers to the use of strong passwords that are unique to every service.
Active two-factor authentication (2FA) means that users should turn on an authenticator app or hardware authentication tool, such as Yubikey.
Active allowlisting for BlockFi means adding a new allowlisted address every time you need to withdraw. This implies that all withdrawals will be subject to a 7-day hold, which presumably reduces the risk of a bad actor affecting you.
Extra vigilance of swindles is necessary, whether it is via email, phone calls, and text messages. The main point is if it is too good to be true, beware, it might be fraudulent.
Lastly, BlockFi acknowledged that time is of the essence and that they are accelerating their investigations to identify the extent of the breach. BlockFi further stated that, “Additional information will be emailed to all affected customers in the coming days.”
Investors should be careful with all company communications, especially those that require urgency to request or change personal data, including passwords and wallet addresses.
On related more recent news, on Friday, March 18, there was a report on an attack on the recently launched non-fungible token (NFT) project Rare Bears, resulting in the theft of nearly $800,000 worth of NFTs. Responsible for the attack was a hacker who posted a phishing link on the project’s Discord channel, ultimately stealing 179 NFTs.
By Audy Castaneda
