Topic: Another day, another data leak - more phishing likely - page 2. (Read 435 times)

It has always been risky, data leaks have been happening right from mtgox till now, there will likewise be some that will even go unreported, so people who have their personal information with centralized services should be aware that it can be made public at anytime when a hack occurs, and another one surely will.
It is not only about storing their coins with centralized services, when this hacks occur, money is stolen, and personal information too, even if you don't lose money, you can lose your personal data, and with that a lot of negative things can be targeted at you, physical robbery inclusive.

It is becoming even more riskier releasing datas this days to centralized exchanges, not for the sake of avoiding the KYC verification process but for the ease to which this centralized exchange servers get hacked and compromised.

Hubspot was possibly a big catch for this hackers knowing how much data they had in their servers as a digital marketing hub and this won't stilll discourage crypto enthusiast from storing their coin with this centralized exchanges many still prefer it to having their full privacy

That's a really disingenuous way of reporting that information by HubSpot. I'm sure many people reading "fewer than 30 HubSpot accounts" would think that fewer than 30 individuals have been affected. In reality a single account belonging to BlockFi could contain the data of many millions of users.

2 companies (BlockFi and Swan) out of ~30 certainly isn't "focusing" on crypto companies. Therefore, as I suspected in my initial post, there are almost certainly many other exchanges and services which have leaked customer data here. The fact we haven't seen more companies reporting this means that either their data handling practices are so bad they don't even know they have been affected, or they are deliberating choosing to keep users in the dark. I'm not sure which is worse.

Hubspot is really more of a CRM software SaaS for (inbound) marketing and sales and services. According to this article, customer data is stored on AWS. That means that the platforms hosts customer data for multiple clients, logically separated by different account credentials.

According to Hubspot’s press release (*), an employee account was compromised, allowing the hackers to obtain data from around 30 Hubspot accounts. An account is a Client (i.e. corporation), so it’s like stating that they may have information for a wide range of customers related to 30 different companies. Furthermore, their press release stated that the focus was on crypto companies, which were their customers, and as a result, information related to these companies’ customers are likely in possession of the hackers.

Allegedly, the information they obtained access to was contact data. Hubspot is often used to send people emails, letters, and attend their service tickets so although there is no public detail of the leaded information, the probable set is going to be in the line of name, surname, email, phone, addresses and so forth, but it will depend on what each company that using Hubspot gathered. We can see what their customer records looks like here:
https://knowledge.hubspot.com/contacts/hubspots-default-contact-properties
There could be more delicate data gathered in service records, but there is no public statement to this regards.

As stated in the OP, the most likely use of the information is going to be targeted phishing campaigns, whereby the emails can be tailored to address a person by his full name, relate them as being a customer of a given company (that they’d impersonate), and perhaps add some extra information from the customer record to make it more convincing – all with a call to action in a brief period of time from (phishing) email reception.


(*) See:
https://ir.hubspot.com/news/hubspots-statement-regarding-march-18-2022-security-incident
https://www.hubspot.com/en-us/march-2022-security-incident

Note:
If anybody wants to read a very entertaining book on working at Hubspot, from a 50+ year old’s perspective, here's a reference:
Dan Lyons – Disrupted -  My Misadventure in the Start-Up Bubble (2016, Hachette Books)

Edit: Allegedly, Pantera Capital is another of the corporations impacted.

It's good that OP mentioned this data leak. At least people could be aware of it and prepare for it well before they are being scammed.
It's always better to double check the URLs we are logging into and bookmark the sites to be on the safer side.


What ? Is that even possible ? How can one possible change the from address in an email ?
It were so then every scammer would be doing it by now and we would be getting hundreds of fraud/scam complaints on daily basis.

After Ledger Leak, nothing can surprise me anymore, it's only a matter of time before a company that keeps data is hacked, and then someone sells all the data or even publishes it publicly. As always, everything should be verified and no one should be trusted blindly - if you receive an email and you are not sure if it came from a legitimate source, ask for confirmation from the legitimate support of that company - and if you are sure it is phishing, save others by mark this mail as spam. That way, such emails will mostly end up in a spam folder where most will not even notice them.

As for calls and SMS, I suggest you block calls and messages from unknown numbers using apps that some smartphones already have, or look for a proven app in your app store. As a last resort, you can always change your e-mail address and phone number - the only problem is if your residential address has become publicly available, in which case pay attention to personal protection in terms of surveillance cameras, security doors, alarms, and self-defense firearms.

Yeah, that's the difference. Anyone can send round a mass email instructing people to verify their seed phrase or something equally stupid. But once you have the personal details of a person from a service you know they use, then you can specifically target them, making the email appear to come from the service you know they use and including their personal details in the email to make things much more convincing.

No, but there is a big difference between giving your personal details to your bank so you can take out a mortgage, and giving your details to dozens of strangers across many different centralized exchanges and services who are going to share and sell your data with a bunch of third parties, all of which have unknown (and often very poor) security practices.

BlockFi also state that the data "included" name, email and phone number for the "majority" of their users.

For me, that's easy to realize. My habit is that I won't log into any account on 2 or more different devices.
If that link redirects me to the Binance page in the logged in state, I'll check a few other subpages especially the notifications and withdrawal history page before I assume it's really not phishing.

One of the most common phishing emails that anyone will receive is to verify their Metamask wallet.



Any newbie can easily fall for the above scam. They use the KYC trick to lure newbies to click on the blue button. Be careful with such emails and delete them whenever anyone receives such mails.

In my email I have received email from Electrum, ledger and other kind of wallets asking for verify my wallet or I will lose my wallet access. The email is written is a way that an inexperience user will defiantly fall for the trap. Someone with experience will know that there are no centralized service for your desktop and hardware wallets so there are nothing such can happen. So obviously this is a scam and the email has phishing link to steal your private key and seed.

But...
Imagine you have account with Binance. You have not KYCed you account. An email from binance official (email containing the domain name binance.com. For example [email protected]) asking your to KYC your account and to do that they have given a link button in the email. They also said if you do not do it immediately then they will freeze your assets. What would you do?

You will click the link button, login and WTF! Using a script one can easily send email using any email address in the from field. So receiving email from [email protected] does not mean that the email came from Binance.

So these days receiving an email means this could be a nuclear bomb for you. If you handle it without care then this might destroy everything for you. The sad part? No one will know about it and can do anything about it.

When you are with any financial institute or with any important business, always save their main URL in a document. Always login from those saved URLs instead of logging in from any link that came in the email or SMS.

This is time for information, an era of information. There are many service you will need in your life and they will take your personal information. You can not avoid it sadly. The only way for us is to be aware, and to be educated to avoid any accident.

Good topic by the way.

HubSpot are a marketing agency. They collect data and use it to serve you ads, social media marketing, various content, and what not. Yesterday, they were hacked, resulting in the theft of the personal information of an unknown number of people - name, address, email, phone number, etc.

Why should you care? Because it turns out a variety of centralized crypto services have been sharing/selling your data with/to this marketing agency.
Here's the tweet from BlockFi confirming their users are affected: https://nitter.net/BlockFi/status/1504982848771608586
And another tweet from Swan: https://nitter.net/SwanBitcoin/status/1505261139571191813

No doubt we will see more crypto services admitting they were also handing your data over to HubSpot in the coming days.

Users affected can expect phishing emails at the very least pretending to be from these companies and trying to get users to hand over account credentials or seed phrases or complete password resets. I'd also be concerned about SMS phishing or SIM swap attacks, as well as attempted forced access to email and other accounts. More complex phishing attempts could also be attempted, such as those that we saw after the Ledger data leak.

Just another one of the many risks you take when you hand over your personal information to centralized services.