A rogue employee working at HubSpot – used by more than 135,000 (and growing) customers to manage marketing campaigns and on-board new users – has been fired over a breach that zeroed in on the company’s cryptocurrency customers, the company confirmed on Friday.
The breach has rippled through the crypto industry: As of Monday, crypto lending platform BlockFi, bitcoin-purchasing automation platform Swan Bitcoin, bitcoin company NYDIG, peer-to-peer payments technology company Circle and cryptocurrency fund Pantera Capital (which was hit a month prior) had been affected.
That list comes from the financial media outlet Blockworks, which has reviewed emails the companies have sent to customers, along with public tweets, advising customers on how to stay safe.
The damage was minimal, HubSpot said in its March 18 notification: The thieves exported data from fewer than 30 customer portals. It’s already notified the victimized companies, the company said.
Threatpost asked HubSpot for a full list of affected HubSpot cryptocurrency customers, as well as confirmation of what superpowers its super admins have over customer data stored in the customer relationship management (CRM) platform. It responded by referring to one of those “we’ve been breached” canned statements that breached companies tend to put out: namely, “We take the privacy of our customers and their data incredibly seriously.”
‘Bad Actor’ Has Been Canned
HubSpot said that it learned on Friday that a “bad actor” had compromised a HubSpot employee account – namely, what sounds like one of the ‘super admin’ accounts HubSpot has on both internal and external sides of its platform, according to another HubSpot super admin – and that the attack was focused on stealing data from its cryptocurrency industry customers.
“We have terminated access for the compromised HubSpot employee account and removed the ability for other employees to take certain actions in customer accounts.” —HubSpot
The rogue employee was attempting to access contact data, HubSpot said. CMS Wire reported that HubSpot handed over details about the employee’s actions to affected customers.
Data Stolen That Never Should Have Been There
On Saturday, the day after HubSpot reported the breach, Swan Bitcoin reassured customers that it uses HubSpot for “limited client communication and marketing data,” not for financial information, transactions, or other sensitive personal or financial information.
“You don’t have to do anything,” Swan reassured customers: “Your funds are safe. Your Bitcoin is not at risk.”
Yesterday, Hubspot, a third-party marketing vendor, confirmed a bad actor within their company gained access to Swan client marketing data.
Read Cory’s email to clients in the attached screenshots for details.
We’ll keep you updated. pic.twitter.com/qtXVk5AOW8
— Swan Bitcoin Client Services (@SwanBitcoin) March 19, 2022
At least initially, it looked like data swept up in the breach was limited to names, emails, account types, phone numbers and, in some cases, company names, Swan said. The exfiltrated data didn’t include Social Security numbers, tax IDs, birth dates, government IDs, bitcoin addresses or balances, according to Swan CEO Cory Klippstein.
But as of Tuesday, the situation looked a bit more grim, as Swan followed up with more details uncovered in its forensic investigation. It turns out that 0.2 percent of the dataset included “a limited historical snapshot of USD deposits,” the company said – an inclusion that’s “against company policy.” The company said that it’s conducted a post-mortem to ensure that the slippage won’t happen again.
As well, about 1.2 percent of the dataset included clients’ intended investment areas or the median net worth of their approximate geographic locales.
“All of this sensitive data has been removed from client communications services, Klippstein tweeted.
We previously announced that our client communications vendor, Hubspot, was hacked.
After an additional forensic investigation of the Hubspot data leak, we found more information to report.
Please see the attached screenshots for the details. pic.twitter.com/htFsLHomRX
— Swan Bitcoin Client Services (@SwanBitcoin) March 22, 2022
The fact that sensitive financial or personal data weren’t included in the dataset is a positive. But there’s still plenty of damage that can be done with the details that were exfiltrated, security specialists – and that HubSpot Super Admin – hastened to point out, starting with social engineering attacks.
Just What Data Do CRMs Handle?
HubSpot officials told CMS Wire that “Some employees have access to HubSpot accounts,” which allows certain employees – such as account managers and support specialists – to help out customers. “In this case, a bad actor was able to compromise an employee account and make use of this access to export contact data from a small number of HubSpot accounts,” HubSpot reportedly said.
In writing for Bitcoin Magazine, HubSpot super admin Robert Warren described exactly what can be done with his level of access rights, which, internally, allows employees to “hop between company accounts and export contact lists (and potentially all associated CRM data).”
“While it is true that financial data is not stored in the CRM, you should be aware that data associated with the users of these companies and their behaviors is logged in the CRM,” Warren wrote. “This puts users in a unique position to be targeted in social engineering attacks.”
He gave the following examples of the types of data that CRM systems can store and which may have been exported in the HubSpot breach:
- IP addresses
- Email histories with representatives at the associated companies and any messages or notes those representatives have on customers and their accounts
- Customer browsing behavior on associated company websites
- Mailing and/or shipping addresses
- How customers are characterized internally by companies (“big buyer,” “whale,” “mid-sized contact,” “small user,” etc.)
- Individual customers’ financial value to companies
- Any and all deals customers have done with compromised companies and any associated values, email negotiations or contacts
- Help tickets or requests customers have logged with compromised companies
Breach Is ‘Not Surprising’
Camellia Chan, CEO and founder of embedded artificial intelligence (AI) company X-PHY (a Flexxon brand), told Threstpost that given the surge in digital currency development, the breach “isn’t terribly surprising.”
“Surges in technological advancement create the perfect environment for cybercrime to flourish,” Chan said. “So, with the rapid development of digital currencies was sure to come a rise in the cybersecurity risks associated with it.”
The incident spotlights a much wider issue, Chan said: namely, the quantity of sensitive data that these types of organizations store across the enterprise.
It “puts not only a specific business at risk, but threatens the potential growth, development, and future success of the entire digital currency industry,” the CEO said.
Data Shared with Third-Parties Slips Out of Your Hands
Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, told Threatpost that software-as-a-service (SaaS) and managed service providers are tempting targets, given that cybercriminals know that if they successfully compromise the provider, “they will likely gain access to the data or networks of hundreds or thousands of the providers’ downstream customers.
“It’s a shortcut to mass exploitation that could otherwise take the attacker months or even years to achieve independently,” Clements said via email.
Word to the wise, HubSpot customers. Clements said that it’s “imperative” for organizations to understand that whatever data they share with third-party partners or vendors “largely becomes out of their control and with little recourse should it be stolen if the 3rd party is compromised.”
Clements advised that all third parties be part of a regularly updated risk analysis based on the level of access or sensitivity of data shared with them.
“The results of the risk analysis should inform a cybersecurity strategy for partner or vendor controls and mitigations to provide higher level of security assurance as is deemed necessary,” he continued.
Such assessments should be backed up by mechanisms that verify that third parties are “taking appropriate steps to provide the needed security assurances and that they can prove it by sharing details about their controls or results of independent validation like a penetration test,” Clements said.
” Not all vendors or partners can or will share this with their customers, but it’s critical that in absence of that an organization throw up their hands as if nothing further can be done,” he emphasized.
He gave these example of what questions should be covered:
- Are there controls or safeguards built into the service platform that offer tighter controls or enhanced monitoring capabilities?
- Are there operational processes that can limit potential data exposure from a breach of a partner like maximum data retention lifetimes?
- At worst, is it no longer an acceptable risk to continue to do business with the company and to seek out alternatives?
“These are all best practices for cybersecurity 3rd party management, but in order for them to be comprehensively applied, your organization requires a true culture of security that ensures that all external data sharing is evaluated for compliance with its own cybersecurity goals,” he suggested.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.