Data Leak At Unchained Capital, NYDIG, Swan & BlockFi. At The Same Time

What do Unchained Capital, NYDIG, Swan Bitcoin, and BlockFi have in common? Third-party providers. Even though the four companies confronted the data leak head-on and admitted their wrongs, the compromised security was someone else’s. Luckily, the data the bad actors stole was not critical financial information, but marketing-driven personal info. Terrible, to be sure, but not as terrible as it could have been.

Related Reading | BlockFi Survey Says 33% Of Women Plans To Buy Crypto This Year

All the companies – Unchained Capital, NYDIG, Swan Bitcoin, and BlockFi – released press releases with mea culpas. Let’s explore them to see what we learn from them.

What Does Unchained Capital Have To Say For Themselves?

The company’s CEO and Co-Founder, Joseph Kelly, addressed the problem through a letter in the Unchained Capital blog. Kelly let everyone know that “a security incident that occurred at one of the vendors we previously used for email marketing.” Also, that “there is no impact whatsoever to Unchained Capital’s systems.” Then, he described what happened:

“ActiveCampaign (“AC”), a third-party email marketing provider that Unchained Capital used until early in 2022, was the subject of a social engineering attack last week. This attack occurred after Unchained Capital had closed its AC account and requested that all data be purged.”

Notice that the provider, ActiveCampaign, is not the same as in the following three cases. Unchained Capital makes clear that none of this was stolen: “client profile information containing personally identifiable information (e.g. addresses, SSN, DOB, IDs, phone numbers used in our KYC process), bank account numbers, passwords, bitcoin addresses, bitcoin balances, loan balances, trading activity, vault statements, loan statements.”

On the other hand, the “data included: email addresses, usernames, account status (active/inactive) and whether the client had an active vault or loan with Unchained Capital (yes or no).” And, for some unlucky users, “their name, email address, and IP address”

What should compromised users do?

“It is always important that our clients be diligent about confirming all communications and any requests that appear to come from Unchained Capital. Given the data leak, clients should be on high alert for any spear phishing attempts. Be especially careful about clicking on any links.”

BTC price chart for 03/21/2022 on Oanda | Source: BTC/USD on TradingView.com

Swan Bitcoin, NYDIG, And BlockFi Point At Hubspot

We could ensemble the same press release that Unchained Capital put out using these three companies’ communications. The difference is, Hubspot is the culprit party here. A similar company to ActiveCampaign, but, a different company altogether. Is there any more to this story? Is someone targeting these bitcoin-related companies?

Let’s see what we can learn from Swan Bitcoin’s letter. Their description of the situation namedrops Hubspot four times in the first paragraph:

“On March 18th, 2022 one of our third-party vendors, Hubspot, confirmed that a bad actor gained access to Hubspot data after a Hubspot employee account was compromised. Hubspot notified us that the compromise was to a portion of their platform that included Swan client data.”

Yesterday, Hubspot, a third-party marketing vendor, confirmed a bad actor within their company gained access to Swan client marketing data.

Read Cory’s email to clients in the attached screenshots for details.

We’ll keep you updated. pic.twitter.com/qtXVk5AOW8

— Swan Bitcoin (@SwanBitcoin) March 19, 2022

They also described the size of the damage with comforting words “We use Hubspot for limited client communication and marketing data. We do not use Hubspot to store financial information, transactions, or other sensitive personal or financial information.” So, nothing to see here, right?

Let’s look at BlockFi, the company describes the situation in more dramatic terms. “To be clear, BlockFi’s internal systems and client funds are safeguarded and were not impacted. We can also confirm that BlockFi account passwords, government-issued ID numbers and social security numbers were never stored on Hubspot.”

Here are steps to protect your online presence from third-party bad actors: pic.twitter.com/tOKf16wOuf

— BlockFi (@BlockFi) March 19, 2022

And they don’t downplay the damage so much:

“As part of Hubspot being used for CRM and marketing purposes, BlockFi stored data that included name, email, and phone number for the majority of our clients. We are working with Hubspot as they continue their investigation to understand the full scope of impact.”

Neither does NYDIG, who ended their press release with a call to action for clients:

“To protect yourself, it is important that you exercise extra vigilance and care when reviewing or responding to emails, text messages, and phone calls, particularly those related to NYDIG.”

What Are Unchained Capital, Swan Bitcoin, NYDIG, And BlockFi Doing About It?

To answer this, we quote Swan’s Cofounder Yan Pritzker, who tweeted:

“We have been working round the clock since the incident with procedures including a data scrub, termination of further data to 3rd parties and complete audit. We will put out a comprehensive plan in the next week which will include moving away from using vendors for email.”

Startups rely on 3rd parties because it would be impossible to get a company off the ground if you build everything yourself. We chose vendors with extremely high standards. Hubspot had soc 2 type ii certification, for example. But it’s clearly time to take this in house.

— Yan Pritzker (@skwp) March 20, 2022

And, since all the company’s responses have been similar, we hope their security procedures are similar also. However, a few burning questions remain. Were these companies targeted? Were the bad actors precisely looking for the information they got? Will we hear about these leaks in the future, connected to a bigger story? 

Related Reading | Bitcoin Firm NYDIG Gets $200m Injection from Morgan Stanley, Soros

If all of the companies would’ve been using just one service, that would be one thing. But both ActiveCampaign and Hubspot? On the same day? Targeting four bitcoin-related companies? There might be more to this story.

Featured Image by National Cancer Institute on Unsplash | Charts by TradingView