Topic: BitBox Data Breach! (Read 235 times)

Buying in official shops with cash might not be possible in the area where a customer lives. And it doesn't fix the problem when you register for a newsletter later in the onboarding process.

Everyone should use a unique and unrelated email address from your usual identity for such newsletters or services. This might mitigate consequences of such data breaches a little.

So far, I went the route to create my own signing device, mainly because I'm not too happy with what commercial hardware wallets offer or cost and I don't feel the urge to need a commercial device yet.

I think this applies for private information of customers who purchase hardware wallets.
They can't delete newsletter information when they used third party service for that, so it's different computers they don't control

I don't know who is going to be next (probably ledger), but I would say it could be any company that is depending on third party services for storing customers sensitive information.
Nobody knows how many times leaks like this happened in past, but news about this never got released in public.
Best way to avoid this is to buy in official shops with cash, or make make your own signing device.

Who's the next? They don’t learn anything.

Someone already received a phishing email:



Source: https://www.reddit.com/r/BitBoxWallet/comments/w49g9x/received_a_phishing_email_from_bitboxs_newsletter/

Thanks for keeping us up to date @dkbit98.

Not again
Luckily and hopefully, it's just newsletter subscribers and addresses and phone numbers were not stolen. They did get IP addresses and many of them were probably not masked in any way.

Interesting thing about the official Shiftcrypto announcement is them saying they "anonymize personal information after 30 days". So they are not deleting info about their clients, just removing identifiable information. It would be interesting to see what it is they do exactly and why not delete it all in the first place? Maybe they have backups and ways to restructure the anonymized data if government institutions ask them about it.

Again... leak because of newsletter. I understand it could be fancy to outsource everything what is not the core business, but at the end it causes only the problems. It is much better to invest minimum effort and be able to say that any aspect of business (especially when you are into crypto-sector) is self-controlled. How I may trust you and give you my money if you cannot keep my email safe?

I know it's a bitter pill to swallow for HW companies, but in order to protect consumers from phishing scams as a result of their mailing list being breached, they have to stop using mailing list services, since they can get breached at any time. Of course, I'm not expecting most of them to do this, especially if they hare heavily dependent on them for advertising.

Of course, this makes it extremely hard to send newsletters in the first place, because most mail services will just block addresses that send bulk emails to many different receipents.

I don't know, but how can these companies rely on third-party services, and then customers bear the full damage with no investigation about the company or third-party service taking place? They even mentioned below that they didn't get answers.




Frankly, the reliance of these services on third-party applications is an excuse for them not to bear the responsibility of protecting currency data and to ensure that they can provide it to any new third party, now they can sell that data and make arguments and importance as what happened above.

I wouldn't say that is true, it's not like those people are not using emails at all.
People sign to all kinds of newsletters even if they use Tor or VPN, maybe additional unique temp emails would be good combination.

It's harder to find them and price is higher than it should be in normal conditions, but gobrrr.me website is currently selling them for decent price of €28 or you can buy full SeedSigner kit starting from €78.
There are similar devices like Banana Pi or Orange Pi, etc but you won't find them for much cheaper price now.

This was only for newsletter, but in theory this could happen with all customer data, if they are using other partners for storing any information.
Everyone should remember how ALL customer information from millions of people was leaked from Ledger.

Many more will say YES to Bitcoin only.

Since many people don't read the news and many bitcoiners are not on this forum, I do expect some will fall for phishing, with or without emails sent by Shiftcrypto...


Raspberry Pi are overly expensive and out of stock in most places.
SeedSigner is bitcoin only, afaik, which means "no" for many.
SeedSigner may need a bit of knowledge it you indeed want to DIY (although I think that one can buy it already made too).

Hmm, I'll have to look into that--and I don't recall reading anything about that in the HW section.  But man, Raspberry Pis are so expensive these days it's ridiculous.  I'm assuming you could use any similar device(?), but all of those SBCs are going for big bucks.

On the other hand, I'm assuming none of this compromises the security of the Bitbox itself, just the privacy of Bitbox users.  I've played around with a few HW wallets (with the Bitbox being one of them), and I can't remember if or when I had to enter an e-mail address.  With the Bitbox, do you have to enter it only if you want their newsletter?

Thanks so much for the info, dkbit98.

I was about to say; rolling your own infrastructure definitely gives you more control over your customers' data, but it also leaves all the responsibility on your shoulders.
Only because you host the email server yourself doesn't immediately mean it is secure from hacking attacks.

It's worth mentioning that apparently in this case, just like Trezor, it's about the newsletter database - which means that by the simple action of not opting into each and every single newsletter offer you find online, you can reduce the risk of being attacked all by yourself.

You can't really avoid completing KYC procedure when you are ordering something like hardware wallets from internet.
Only way you can bypass this is if you purchase device locally with cash, or if you use alternative name, shipping address, temporary email, etc. foir ordering online.
Generally speaking I suspect every email that I receive, especially if it's something related with crypto.

It's easy to use Tor or vpn in 2022 to mitigate this issue, but I think that identification from smartphones using combination of imei number and ipv6 addresses is revealing even more information about your location.

I think that only Foundation Passport is using self-hosted email server from all hardware wallets, but there is no perfect protection from leaks.
You can always have insider leak from someone who was working for hardware wallet manufacturer, but I guess risk is much less this way.

Everytime you put your data online, you can consider it exposed...

Those companies share a lot of user data between them, and our personal information is just shared again and again... and sometimes, one of these companies is just careless about its security and we see some "data breach".

The best way to protect ourselves is just to avoid sending our data. Create a lot of throw away emails, one password for each site (using a password manager), never complete KYC unless strictly necessary, etc...

Because soon or later any data you put online is going to the dark net and will be sold and used for phising/spam

Shiftcrypto today released a warning that hosted service ActiveCampaign they used for sending newsletters have been compromised.
Unauthorized party downloaded email lists containing customer name or alias, email address and computer IP addresses.
Other personal information like postal addresses or any information from BitBox hardware wallet was NOT compromised according to Shiftcrypto.

Real danger of this dat breach is that you could receive phishing emails pretending to be Shiftcrypto, so you should be aware of that and never enter seed words anywhere online, or download any software from received emails.
Shiftcrypto wil not be sending any more marketing emails until this incident is resolved, and this reminds me on similar situation that happened with Trezor and their newsletter partner.
This things are going to happen in future with all hardware wallets, so I see a big value for DIY signing devices like SeedSigner that uses RaspberryPi.

Shiftcrypto was using ActiveCampaign, small cloud software platform based in Chicago, and this shows that it's much better to use your own platform instead of using third-party partners.
Instead of learning from bad examples of Ledger and Trezor, Shiftcrypto did nothing until it was to late.

Official Shiftcrypto blog post with more information:
https://shiftcrypto.ch/blog/data-breach-of-marketing-platform-activecampaign/