Bitcoin companies saw their customers’ personal information leak after a HubSpot employee account was hacked.
Customer relationship management (CRM) service HubSpot last week suffered a security breach that leaked the personal information of thousands of Bitcoin users after a bad actor obtained access to an employee account and exported data from up to 30 HubSpot portals.
NYDIG, Swan and BlockFi are among the companies that saw customers’ names, emails, and phone numbers being stolen in what HubSpot said was a targeted attack on cryptocurrency firms and users.
Swan issued another statement on Tuesday highlighting that after further investigation it was able to spot that a whole new class of information also got breached, including "a limited historical snapshot of USD deposits" and "clients' intended investment range or the medium net worth of their approximate geographic area."
Personally identifiable information (PII) is valuable for follow-up tailored attacks, especially to cryptocurrency users, who possess value in a digital form – which is both easier to store and to steal. Hackers often leverage or buy stolen information to attempt to swift bitcoin funds in a slew of different techniques that range from simple phishing attacks to more complex scams.
A Bitcoiner deposits their trust in a third party whenever they leverage a centralized entity for a service, such as buying bitcoin, depositing it as collateral to access a loan, or simply for custody. The common denominator in many cases is simply convenience, a benefit that comes with an extensive set of tradeoffs, including data sharing.
However, the bigger issue is arguably that those companies often also resort to third parties for their own convenience, extending the trust ladder further beyond what the customer had initially assessed in their mental threat model – even though companies tend to be transparent in their terms of service.
In any case, decentralized alternatives exist to mitigate such threats. From Bisq to Hodl Hodl and beyond, there is almost always a more robust option for Bitcoin users to retain their privacy whilst cutting back the odds such incidents happen. Though not as convenient, peer-to-peer (P2P) alternatives remove the need to trust intermediaries and give the power back to the user – which is arguably a keystone principle of Bitcoin.
UPDATE (Mar 22, 2022 – 8:59 PM UTC): Adds additional information on the types of data obtained by the hacker on Swan's customers on the 3rd paragraph.