Hubspot and Mailchimp’s CRM Data Breaches Raise Crypto Phishing Fears

Posted on May 6, 2022 | BLOG

phishing_banner

Data breaches in March 2022 targeting the crypto user-related data managed by two of the biggest marketing service providers, Hubspot and Mailchimp, have raised concerns about the safety of crypto users’ investments, which might consequently be targeted in phishing campaigns. The latest crypto-focused data breaches follow previous episodes such as Ledger’s database hack in July 2020 as well as MetaMask phishing that had devastating consequences for their victims.

Hubspot Data Hacked

HubSpot, a provider of customer relationship management (CRM) and sales and marketing solutions, was targeted in a cybersecurity breach on March 18 which compromised the contact data of about 30 of its customers. The attack appears to target cryptocurrency companies specifically, including Pantera Capita, BlockFi, and Swan Bitcoin.

According to reports, a hacker tapped into the HubSpot database through a compromised employee account that harvested private information, such as personal names, emails, addresses, account types, phone numbers, and company names. 

HubSpot immediately amended the access protocols of the compromised HubSpot account after the attack and removed the ability of employee accounts to perform activities connected to their clients.

While investigations are still underway, HubSpot has urged customers of affected companies to reach out to their respective platforms to inquire about the extent of the stolen information, which may vary from company to company, as well as the steps they could take to maximize their security.

Mailchimp Breach Targets Trezor Users

Mailchimp, another CRM company with a focus on email marketing, recently reported a massive breach in their database, with hackers making use of a compromised internal tool that allowed them to steal private information from crypto companies, businesspersons, and influencers. While the marketing platform became aware of the infiltration on March 26 and deactivated the hacked employee accounts, the hackers were still able to access roughly 300 Mailchimp user accounts and acquire data from 102 of them, including data on their audiences.

Considering that the stolen information can easily be used to phish affected users, it is not hard to this attempt as a means to an end; it’s likely part of a broader scheme to steal crypto assets from users. 

In fact, hardware wallet provider Trezor has already confirmed that its users started receiving email notifications regarding a data breach that prompted them to download a new application from a fake web portal created by the hacker in an elaborate attempt to steal their recovery seeds.

No stolen funds have been reported from Trezor users yet, but one thing is clear – a skilled hacker/hacker group now holds information on a great many people’s contact details and the hardware wallet and software they use. It’s not hard to imagine what the plans the hackers might be devising right now. 

Security Measures for Crypto Users Against Phishing Attacks

Here are some safety tips to stay protected against phishing attempts. These security measures are not only applicable to affected companies but also serve as general guidelines for all crypto users.

1. Assume centralized entities can be easily breached

Centralized entities, including exchanges, wallet providers, media outlets, etc., collect personal data from users. As if this isn’t troubling enough, they often use third-party tools and platforms to manage all this data, which creates more access points that bad actors can exploit. Since it’s nearly impossible to avoid subscribing to these services and entities, never take their emails or methods of communication at face value. Anything can get compromised, even the CRM applications of decentralized platforms.

2. Stay up to date on the latest phishing schemes

There are instances when user data is harvested elsewhere without public knowledge; for example, remember the Cambridge Analytica scandal? Hackers often use personal data such as phone numbers or emails to pose as legitimate organizations and obtain sensitive information like private keys from targeted crypto users. Therefore, it is paramount to regularly read up on the latest exploit strategies and take extra care not to fall for phishing attempts. 

3. Use multi-factor authentication (MFA) systems

While it may be inconvenient to have to verify and authenticate your log-ins, the few extra seconds required are well worth it for the safety of your funds. Make sure to always turn on MFA controls so you’ll be notified whenever someone attempts to access your accounts.

4. Create unique email accounts for different wallets and exchanges

If you have a number of crypto addresses and exchanges you use, it’s smart to create different email addresses for each one. This way, you ensure that hackers can only target the breached email address and associated information in question. 

What Could Happen Next After the CRM breaches?

While the crypto space is filled with world-class innovators, bad actors are just as ingenious and are often one step ahead. This time, CRM databases appear to be the next hot target in the crypto underworld, although this new development could extend to virtually any platform that stores the private information of customers. HubSpot and Mailchimp were the first, but other similar platforms like Zoho or Salesforce could be next. To stay on the safe side, it’s best to take action as if this latest hacking incident is only the beginning – because it most likely is.

The Future of Data Security

Today, we are in the early stages of decentralizing the storage and management of user information, with many projects researching how to use blockchain technology to securely manage large amounts of data efficiently. We also have protocols like the InterPlanetary File System (IPFS) and Arweave that can trustlessly store information and easily trace or authenticate any data request from various other entities.

Beyond the decentralization of CRM, the emergence of Web3, touted as the future of the Internet, presents us with even greater methods of data privacy. Up-and-coming trustless and self-governing tools could one day tear down the monopoly of user information propagated by centralized entities and empower personal data sovereignty.