Topic: Another day, another data leak - more phishing likely (Read 410 times)

Taking a big leap, but in order to make it more comprehensible by known association, HubSpot can be seen as a conceptual functional subset of what Salesforce is. That is to say, some companies use it (HubSpot) as their (minor) full-fledged CRM, and therefore, for any given lead or prospect qualification campaign, they may ask for specific information that is tailored to the campaign’s needs of information.

For example, one can easily envision how a given Swan Lead generation campaign asking their leads to provide their annual income, or another asking for the investment range. This data may be only demanded in certain campaigns, thus not found on all customer records (i.e. the small percentages they mention in their status release). This data will likely remain attached to the historical record of the person, as he moves from lead to prospect and then to client.

This sort of information can either be part of the predefined data fields defined in the CRM (see the default contact details here), or managed and stored through added custom fields (see here). This is all part of the contact data record, which APIs can give access to with more or less effort and understanding.

I haven’t seen the complete list of names of the 30 or so companies affected by the leak. I wouldn’t expect Hubspot to release it to the public, but rather it should be each affected company that contacts its own user base. There are normally regulations that delimit the timeframe to divulge this information to those affected users, as well as ethical and early alert considerations.
 
Judging by the time that has gone by, albeit it not being tremendous, it should have been paramount for companies to have contacted their own set of customers on the matter at hand by now. It should, therefore, probably be known by now to the general public, derived from public reports made from notified customers. The fact that the complete list of 30 or so companies it yet not known, suggests that some are taking way too long to do their part ...

An update from Swan Bitcoin: https://nitter.net/SwanBitcoin/status/1506355008127877123


So in this not-at-all-surprising twist, turns out (as with pretty much every data leak) that this leak was more serious than initially thought and contained some sensitive financial information on a number of users. How did HubSpot get access to this data when it wasn't supposed to happen? What other data did they have access to, and from which companies, that they weren't supposed to have access to?

They also state that "ten companies" have made public disclosures about this hack. I count five - BlockFi, Swan, Circle, Pantera, NYDIG. Who are the others?

As we discussed above, each account belongs to a company, and each company could store the data of millions of users.

This is particularly concerning behavior. If your data is compromised, at the very least you deserve to know about it. The fact we've only heard from five of these thirty companies is scandalous.

I should have been more clear - it's only a matter of time until the next KYC data breach. Obviously there have been countless in the past.

Everyone should be using disposable email accounts and phone numbers to be signing up for centralized exchanges, since they've shown time and again they cannot be trusted to protect your data.

I have received lots of crypto spam emails, sms and even calls in the past few years because of ledger hacked, **too annoyed.

Now, now if i remember correctly i only use kucoin exchange (due to not requiting kyc) now if kucoin will admit that they use such platform, then it will be another wave of spams indeed which is too annoying in my part specially in a way of calls, which gives me worried answering even the legit calls from legit company.

I was just looking for information regarding the Passport discussion thread and I think that you'll like of what I found - just hear Zach Herbert opinion[1] regarding how people care about their data, I think you'll find a reply that's very close to what we've been discussing on this thread (and have discussed in the past). People will just be aware of how fragile their information on the internet is secured whenever they are deeply impacted by it. I can't tell you the times that many colleagues of mine just say "I don't care, I don't use it no more" whenever I show the results of multiple breaches of services attached to their e-mails on haveibeenpwned website... It just baffles me how careless they are with the single and most important piece of information that they may have as individuals...

---

[1]https://youtu.be/DFLte6GbCys?t=1314

You are right, this breach will likely (and likely already has) lead to some people losing coin via social engineering attacks. I think it is best to teach people how to spot these types of attacks, and how to protect themselves. While it is a laudable goal for people to not ever give any personal information to any company, and to have "100% privacy" I don't think this is a realistic goal.

It is not a matter of time before exchange breaches include password (hashes), account balances and similar, as this has happened in the past, multiple times. It is important that people are aware of the risk of their sensitive personal information leaking before giving it up to centralized exchanges.

Another one of the back stage data leaks by the CRM company who provides services to the crypto companies and the fact which is not ignorant by us is that these centralised services will always find their profits at the first stage and sell your personal information without you knowing.

Even if we talk about such data breaches in other companies also then it's not new and they are summoned to respond to the allegations like meta,google apple all are collecting the user data and getting access to the files but in these crypto space this becomes more dangerous as you are no longer anonymous and your data is being used for different purposes.

We should be extra cautious because our security lies in our hand and most people can fall for these phising emails scam asking to fill out your password and other information being the orginal company mail but they are not so be careful with them.

As per them only 30 account have been compromised but they have still not given the full disclosure of the list to avoid any further defamations but you could probably come with some excuses to safeguard yourself like saying hackers got access to employees account through which this was possible.

They have also given the assurance that internal information is safe like pasword because Hubspot is external tool but still the email scams can compromise lot of information of the users in this industry stored on their storage.

These are the reasons we must always be cautious before signing up for any service and thanks to the forum that we have an idea about the ongoing fraudulent activities in this space and how to be safe from them.

And throw NYDIG (New York Digital Investment Group) in to the mix too, who are a provider of bitcoin and associated services to institutional clients. Still, we know that 30 companies were affected, and the attack was "focused on crypto related companies", so more names to come I'm sure.

Even if this is the case, this breach could still easily lead to someone losing their coins, and it will only be matter of time before the next breach which might include KYC documents, passwords, account balances, or who knows what else.

Circle was apparently affected by this breach. According to Circle, "in the course of [their] marketing outreach initiativessic we received prospect data from various sources and stored that information in our HubSpot account".

This implies that someone's information being stored in CIrcles HubSpot account was not necessarily a function of having a Circle account, but rather was a function of the person's information being on some marketing list. If the above is true (and is true for other HubSpot clients), I would say the breach is likely not as serious as it may otherwise have been. It would mean that having your information in Circle's HubSpot account would not mean the person had a Circle account, and that there would be a lot of overlap between people in each HubSpot account.

Such set ups are quite common. Another common scam involving Ethereum addresses is for someone to publicly reveal the private key to an address which has a substantial amount of tokens on it (usually pretending it was an accident), and whenever anyone sends any ETH to the address to cover the gas fees to try to move the tokens, the ETH is immediately transferred out to another address. I don't really feel bad for these people who lose their ETH, though, since they were trying to steal the tokens in the first place.

It's far worse than that. People actually spend their money to bug their own houses with devices which listen to everything they say and even record their every movement, all so they can listen to a certain song without having to pick up their phone and tap the screen a few times. And then they act surprised when they get served ads for things they were talking about to their family. And of course, all that recorded data is no more immune to hacks, leaks, or being sold than all the other data we are already discussing here.

It looks like that I was able to miss most of my twitter findings regarding this particular breach, my bad! However I think we ought to see that this won't be the last time that a leak of private information will happen...
I would like to believe that most people would want to be cautious against sending their personal information to a random server but now, more than ever, I honestly don't believe that people care about it. They are willing to trade that little piece of private information that they have in exchange for whatever "goods" the service may give to them or that they may find useful. How many people do we known that blindly click on "Accept all conditions" whenever they are using their Facebook/Gmail/Random internet service account as a way to "register" to platforms? They are trading their information by a way to quickly register to a certain service, most of the time they don't even care to read what kind of information will they be trading for such a "process"...

---

This almost sound like a dystopian future but you're right, it did happened and it was scary as hell. Just imagine receiving an e-mail such as this[1] one. Sure it could be 100 % fake - the address ended up receiving less than 5 USD[2] - but what if it wasn't? Would you be willing to risk the safety of your family being full aware that your address and name was tied to a leak regarding Ledger product purchases? In at least one of the hacks we're talking about 270k users information that was leaked[3] and if we assume that most of the members had family and such, we're talking about jeopardizing the privacy/lifes of a handful of people around the globe.

On a related note, about one year ago - April 6th - a class action lawsuit was filled[4][5] by Schneider Wallace. As they put it "Plaintiffs allege Ledger and Shopify “negligently allowed, recklessly ignored, and then intentionally sought to cover up” the data breach. The complaint was filed in the Northern District of California."[/li][/list] Looking forward for what may come out of it eventually...

---

[1]https://libreddit.spike.codes/r/ledgerwallet/comments/kh8q82/fantastic/
[2]https://blockchair.com/bitcoin/address/16Hg8rPPFRtqCjxpwibUnpd4uVVvNj5Gmz
[3]https://cointelegraph.com/news/ledger-data-leak-a-simple-mistake-exposed-270k-crypto-wallet-buyers
[4]https://www.schneiderwallace.com/media/ledger-shopify-class-action-lawsuit-data-breach-cover-up/
[5]https://www.schneiderwallace.com/wp-content/uploads/2021/05/Chu-et-al-v.-Ledger-SAS-SWCK-Cryptocurrency-Lawsuit.pdf

This was exactly how my first wallet was hacked in 2016, and even till today, what ever amount of Eth that goes into that wallet is immediately transfered to another wallet, I don't know how the scammer did it, but my guess is that he or she(what ever gender the person is) has a smart contract built which monitors his or her victims wallets addresses 24/7 and the contract is able to transfer to another wallet any amount of eth sent to their victims wallet.

I lost a good amount of money from the hack if I calculate by today's eth price, but the good thing is that I learnt, and I or anybody I know can never be victim to this kind of phishing attack again.

Exactly. But still if the user is not clicking on the emails, the user is still perfectly fine, but this is the way many newbies are scammed because of little knowledge and ignorance of phishing attack. Although, if properly checked, it can still be known that it is a phishing attempt but it is just good to never click on emails not authorized for.

I wonder how it would be when many people that can do physical attacks would know how transaction is. Exchanges data leak is very common, it occcur all years. It can come to a time attackers will directly come to someone's home, telling him how data was breached on the exchange the prson is using and how they need to know his balance on the exchange. Even checking wallets and the likes. Transferring thcoins to a noncustododial wallet. This may seem impossible, but there is nothing impossible. I can remember some strangers were calling during ledger data breach about how they will visit victims home.

If you check websites like haveibeenpwned.com, you will see similar leaks are popping up all the time, and who knows how many more are unreported in public.
I noticed some of the most recent include cryptocurrency exchanges like BTC-Alpha and financial apps like Robinhood

- ZAP-Hosting
- CDEK
- Robinhood
- MacGeneration
- NVIDIA
- GiveSendGo
- RedDoorz
- BTC-Alpha
- ShockGore
- Open Subtitles
https://haveibeenpwned.com/

I agree with you totally on this, but people just don't listen until they get burned.
It's not hard to use alternative personal information like temp email, alternative phone number, PO box for you delivery address, etc.
Hardest thing would be to use alternative legal name, but that can also be arranged and it's not as dangerous as giving away other personal information I mentioned before.

That tweet is over a year old, from a separate data breach. However, as per the emails going around, Pantera have indeed been affected this time as well: https://nitter.net/nina_kaplan/status/1505410357501870081. This email again seems to confirm what I said above: Names, email addresses, phone numbers, and physical addresses (as well as regulatory classification).

The tweet you shared from Unchained is about yet another separate data breach, this one from a marketing agency called ActiveCampaign. In addition to the information above, it also says IP addresses as well as information regarding users' loans has been leaked.

The bottom line is any information you give to a centralized exchange or service is highly likely to end up leaked across the entire internet sooner or later. Take that in to consideration next time you go handing out your personal details.

Yup, confirmed per their recent tweet[1]. I think we can also assume that Unchained Capital[2] was also affected[3]. In my quest for affected companies I did found tweet[4] where a user stated that the twitter account of Sam Parr - he sold his business "The Hustle" to Hubspot last year[5] - was hacked around 12th of March. Coincidence?

---

While this may be a bit farfetched, you can find a list of case studies[6] that demonstrate the impact that HubSpot had in a particular company. I'm not saying that all of them got affected - it depends if they were still clients of them and such - but it does give you an idea of which clients they have/had. Interestingly enough they don't mention either BlockFi nor Swan so this is probably just a small sample of clients that they have interacted with ...

---

[1]https://nitter.net/panteracapital/status/1362140521800622080
[2]https://unchained.com/
[3]https://nitter.net/lunasats/status/1505068248043343874
[4]https://nitter.net/HubSpot/status/1502787560279576587
[5]https://www.hubspot.com/company-news/hubspot-signs-agreement-to-acquire-the-hustle-adding-content-to-help-scaling-companies-grow-better
[6]https://www.hubspot.com/case-studies/directory

BlockFI and Swan are just two of the companies that reported connection with HubSpot but who knows how many more of them are using them as well.
Leak data from several centralized exchanges, leak data from hardware wallet sellers and you have clear picture of what people are doing.

I just checked my old junk email and it's full with fake emails from Kucoin exchange that I don't even use.
Worst thing than receiving emails is getting phone calls are real letter on your home address, and this things happened with ledger leak before.
It's hard to live in modern world without some of this services but we can use alternative addresses and information to reduce risks.

Where is the database leak for ledger or blockfi?  Could you check if your email has been compromised?

It is probably best to use a unique email address for each crypto-related service you sign up for, and to use a separate phone number for all your crypto-related services (using a unique number for each service is probably not practical).

Over time, there have been so many data breaches that if you have ever provided your information to a crypto service, you are going to be barraged with scam messages. I believe the most common tactic that scammers use is to send emails trying to get people to either provide their credentials or to send coin to an address owned by the scammers under the false pretext that the address belongs to a legitimate service.

Password reset attempts and SIM swap attacks (and similar) are still possible, but they are more difficult to do in masse.

This creates a very risky situation for the users affected. Most of the scam techniques used these days are commonly known and mostly targets newbies. But a personalized phishing attack and a fair bit of panic could fool even the most experienced users out there and this is only the least of concerns; More personalized hacking attempts could be attempted on affected accounts.

More situations like this would occur to dissuade users from submitting their details to random websites.