BlockFi confirms unauthorized access to customer data hosted on Hubspot

New Jersey-based crypto financial institution BlockFi confirmed a data breach incident involving one of its third-party providers, Hubspot. BlockFi’s proactive warning of the breach aims to deter bad actors’ intentions to repurpose user data for fraudulent activities.

According to the NoticeOn Friday, March 18, the hackers gained access to BlockFi’s customer data stored on Hubspot, a customer relationship management platform:

“Hubspot has confirmed that an unauthorized third party has gained access to certain BlockFi customer data stored on their platform.”

As a third-party provider for BlockFi, Hubspot stores user data such as names, email addresses, and phone numbers. In the past, attackers have used such information to conduct phishing attacks and gain access to accounts using user-supplied passwords.

Regarding the recent third-party data incident: pic.twitter.com/50z7IrQ1za

– BlockFi (@BlockFi) March 19, 2022

As of this writing, BlockFi is supporting Hubspot’s investigation to gain clarity on the overall impact of the data breach. While the exact details of the breached data have yet to be identified and disclosed, BlockFi reassured users by noting that personally identifiable information — including passwords, government-issued ID, and social security numbers — “was never stored on Hubspot.”

Additionally, BlockFi has also confirmed that its internal system and customer funds were not accessed and that the breach remains limited to the third-party hubspot.

The company also recommended four methods to help users protect their online presence from attackers – good password hygiene, two-factor authentication (2FA), allowing trusted applications, and vigilance against scammers.

In a final note, BlockFi acknowledged that time is of the essence and are accelerating their investigations to determine the extent of the breach:

“Additional information will be emailed to all affected customers in the coming days.”

Investors are advised to exercise caution in any corporate communication, particularly when it comes to urgently requesting/changing personal information, including passwords and wallet addresses.

Related: Rare Bear’s Discord phishing attack snaps up $800,000 worth of NFTs

On Friday, March 18, the recently launched Nonfungible Token (NFT) project Rare Bears was attacked, resulting in the theft of nearly $800,000 worth of NFTs.

warning @BearsRare
Unfortunately, Discord has been compromised. Please DO NOT click any links, connect your wallet and block all incoming DMs in our Discord. Our team is working on the situation as we speak

— Rare Bears (@BearsRare) March 17, 2022

As Cointelegraph reported, the attack was carried out by a hacker who posted a phishing link on the project’s Discord channel and ended up stealing 179 NFTs.