HubSpot confirmed that a “bad actor” targeted its network primarily to steal data of its customers in the cryptocurrency industry.
HubSpot is a widely used CRM tool. Companies from diverse sectors/industries use this software to store sensitive data, including names, email IDs, and phone numbers. Using this information, companies facilitate and monitor marketing campaigns.
HubSpot Data Breach- What Happened?
HubSpot, a Cambridge, Massachusetts-based CRM, sales, and marketing software vendor, confirmed a cybersecurity incident on 18 March 2022, citing that attackers specifically targeted its cryptocurrency industry-related clients.
Upon initial examination, HubSpot learned that the attacker compromised a HubSpot employee account. The company allows some of its employees, such as support specialists and account managers, to access customer data to assist customers comprehensively. One of these accounts was compromised.
The targeted account was terminated quickly, and other employee accounts offering access to customer data were also restricted. Investigation into the incident is still underway, and more details may emerge soon.
Impact of the Breach:
The breach impacted less than thirty HubSpot portals. Companies affected by the breach may include NYDIG, BlockFi, Circle, and Swan Bitcoin. Swan and BlockFi have confirmed being impacted by this data breach, noting that financial data and funds of their customers weren’t affected, but personal information could be exposed.
HubSpot team claims that attackers only took user information stored in the tool, and internal data like passwords were safe. They couldn’t access this information because HubSpot is an external tool. However, many users of the impacted firms have already reported experiencing phishing attacks.
Swan Bitcoin’s CEO Cory Klippsten confirmed the data breach in a tweet on 19 March 2022. The CEO released an updated statement on Twitter to address customers’ concerns regarding the data breach incident and sent a letter to its customers via email. The company’s initial statement read:
“For clients and prospective clients, the data included: name, email addresses, account type (personal, business, or retirement), phone, and in some cases company name, if this information was provided at the time of sign-up or inquiry.” On 22 March 2022, Klippsten tweeted that around 0.2% of the exposed dataset included a “historical snapshot of USD deposits,” and inclusion of this data was against company’s policy. Approximately 1.2% of the dataset comprised its clients’ potential investment range and the average net worth of their geographic region.
BlockFi also tweeted a statement regarding the HubSpot data breach. However, the company didn’t specify what information was exposed and only clarified safe data. This includes its internal servers, client account passwords, client funds, government-issued ID numbers, and Social Security numbers.
Both impacted firms confirmed that hackers didn’t breach their networks and only the data stored in the HubSpot portal was exposed.