HubSpot Allegedly Hacked to Target Cryptocurrency FirmsCRM Leader Says Compromise of Employee's Account Led to Data Leak of 30 Companies
Content management software giant HubSpot released a statement Sunday saying that it had been the victim of a data breach on Friday, citing a compromised employee account as the entry point.
See Also: 2022 Unit 42 Incident Response Report
Several cryptocurrency firms - BlockFi, Swan Bitcoin, Paxos and NYDIG, among others - have confirmed some customer data was leaked via HubSpot. The customer relationship management firm is a third-party vendor for the cryptocurrency companies, and the leak appears to be an attempt by a malicious actor to access users' details.
"At this time, we believe this to be a targeted incident focused on customers in the cryptocurrency industry," HubSpot says in the statement. "We have terminated access for the compromised HubSpot employee account and removed the ability for other employees to take certain actions in customer accounts."
According to HubSpot, the breach occurred when a threat actor compromised an employee's account. The CMS firm appeared to respond to the breach promptly, and the account has now been isolated to prevent further damage to company networks.
"While our investigation is still underway and we continue to learn additional details, our initial assessment suggests that data was exported from fewer than 30 HubSpot portals, all of whom have been notified," the statement says.
The investigation is ongoing, and HubSpot is advising clients of affected companies to contact customer support.
Crypto Clients Hit
Cryptocurrency companies reportedly targeted in the HubSpot data leak were quick to provide users with online safety protocols and said they had not stored any sensitive information.
Blockchain firm BlockFi stated in a tweet that scammers may be contacting clients in an effort to gain access to their digital wallets. It said its own investigations show that BlockFi's networks were not infiltrated.
Regarding recent third-party data incident: pic.twitter.com/50z7IrQ1za— BlockFi (@BlockFi) March 19, 2022
According to BlockFi, HubSpot was strictly used for marketing purposes and not for housing sensitive data, including account holder passwords, Social Security numbers or other government-issued ID numbers. BlockFi is encouraging clients with concerns to contact HubSpot.
It is also advising account holders to take these steps to protect accounts from threat actors:
- Use strong unique passwords;
- Enable 2FA on all accounts;
- Turn on allowlisting;
- Be wary of any emails, calls or texts from an unknown source.
Allowlisting is a security measure that only allows trusted applications, files and processes to execute. According to BlockFi's policies, allowlisting puts a seven-day hold on a BlockFi account, in addition to the routine security hold of one business day. This practice, the firm says, "significantly reduces the risk of being impacted by a bad actor."
Other cryptocurrency services affected by the data breach are advising a similar combination of online hygiene tactics to deter cybercriminals from accessing accounts.
Third-Party Risk and Response
In the post-SolarWinds world, cybercriminals have discovered it can be lucrative to hit third parties. SolarWinds was one of the largest cyberattacks to date that began as a result of a bad actor breaching a vendor.
Often, third-party vendors hold sensitive information on notable clients and sometimes have more lax security standards. It appears, however, that most of the blockchain firms were savvy to this matter.
Brendan Lane, director of operations for Swan Bitcoin, tweeted about the data leak, citing third parties as a major security risk.
Hey there - just to clarify:— (@brendanlane00) March 19, 2022
1. Hubspot had a data leak
2. Because 3rd party vendors like Hubspot are security risks, we only store very basic information there (all sensitive info is stored internally)
3. We are actually against KYC laws too. We just want to help people stack
Paxos, a cryptocurrency trading platform, released a statement pointing to the "third-party vendor data incident" and said that its own security department had investigated whether Paxos' network had been breached.
Simon J. Smith, a cybercrime forensics specialist for Australia-based Official Intelligence, criticized the firm on LinkedIn for "passing the buck" in its press release, citing "there are always dangers in using third parties." Smith also said Paxos could have done more to notify customers that their details had been given to the third party, possibly resulting in social engineering attempts. Smith said Paxos should have informed clients about how to protect against those risks.
A representative for Paxos told Information Security Media Group it had begun its own investigation within 24 hours of the notification from HubSpot, including informing account holders of the breach.
"Like many other companies, Paxos uses HubSpot to send emails. We performed extensive due diligence before selecting HubSpot as our email vendor as there is always risk with third-party vendors. Paxos always recommends that our customers be vigilant when it comes to email scams and their personal information and always use multi-factor authentication on all accounts," the spokesperson said.
In a conversation with ISMG, Alex Hamerstone, the director of advisory solutions for cybersecurity firm TrustedSec, stated that third-party risk was one of the most significant risks in cybersecurity, especially for financial service firms. Hamerstone says smaller organizations are sometimes easier to attack than larger organizations, which have advanced security protections. Also, third-party companies usually "hold the keys" to many organizations, creating the possibility of a bigger payout, he says.
"Why attack one bank when you can attack a service provider who has the keys to 100 banks?" Hamerstone tells ISMG.
This story has been updated to include statements from Paxos.