HubSpot, a marketing and sales platform suffered a data breach over the weekend impacting multiple firms including Circle, BlockFi, Pantera Capital, and NYDIG.
In emails to clients, the companies revealed their operations were not impacted and their treasuries were not at risk. Although user information was leaked to hackers, passwords and other internal information were not stolen.
The breach was the result of a hacker securing access to an employee account and using it to target our customers in the cryptocurrency industry. Threat actors stole data from 30 HubSpot portals, and the company has notified all affected firms, terminated the account, and reworked its account privileges to ensure something like this doesn’t repeat, HubSpot explained in a blog post.
Although HubSpot did not publish a full list of impacted firms, some media managed to identify a few names. Decrypt, a crypto news platform revealed that Pantera Capital, an American Crypto venture capital firm, sent out a letter to its customers, which said "Pantera uses Hubspot as a client relationship management platform. The information that may have been accessed includes first and last names, email addresses, mailing addresses, phone numbers, and regulatory classifications."
“While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve,” HubSpot concluded. At this time, a timeline of events is unknown as HubSpot has not revealed when its systems were compromised.
“SaaS and managed service providers are enticing targets for cybercriminals as they know that if they successfully compromise the provider, they will likely gain access to the data or networks of hundreds or thousands of the providers’ downstream customers,” Chris Clements, vice president of solutions architecture at information technology service management firm Cerberus Cyber Sentinel Corp., stated. “It’s a shortcut to mass exploitation that could otherwise take the attacker months or even years to achieve independently.”
It’s essential that firms understand that the data they share with third-party vendors largely passes out of their control and with little recourse should it be stolen if the third party is compromised, Clements concluded.