Marketing software firm HubSpot Inc. has been hacked, resulting in a data breach at several leading cryptocurrency-related companies.
According to HubSpot, the hack occurred on March 18 and involved a bad actor compromising an employee account. HubSpot did not disclose how the compromise took place, saying only that their investigation is still underway.
Fewer than 30 HubSpot portals were subsequently targeted, with those targeted being in the cryptocurrency industry. HubSpot has not named which companies were infected, but some are known as they have disclosed the hack to their clients. Those known to be affected include Circle Internet Financial Ltd., BlockFi Lending LLC, Pantera Capital, New York Digital Investments Group LLC and Swan Bitcoin.
The only information stolen appears to be contact details. On Twitter, BlockFi said that its internal systems and client funds were not impacted, nor were account passwords, government-issued ID numbers, or Social Security numbers. In a later tweetBlockFi said that information they had stored on HubSpot included names, email and phone numbers for most of their clients.
Swan Bitcoin issued a similar statement – the information stored on HubSpot was basic contact details and did not compromise user accounts.
HubSpot noted that it had terminated access for the compromised employee account and has removed the ability for other employees to take certain actions in customer accounts. The company added that some employees have access to HubSpot accounts for account management and support purposes.
“SaaS and managed service providers are enticing targets for cybercriminals as they know that if they successfully compromise the provider, they will likely gain access to the data or networks of hundreds or thousands of the providers’ downstream customers,” Chris Clements, vice president of solutions architecture at IT service management company Cerberus Cyber Sentinel Corp., told SiliconANGLE. “It’s a shortcut to mass exploitation that could otherwise take the attacker months or even years to achieve independently.”
Given the risks, Clements noted that it’s imperative that every organization understand that the data they share with third-party partners or vendors largely becomes out of their control and with little recourse should it be stolen if the third party is compromised.
“Every third party should be part of a risk analysis based on the level of access or sensitivity of data shared with them and this analysis must be updated over time as the relationship evolves, Clements added. “The results of the risk analysis should inform a cybersecurity strategy for partner or vendor controls and mitigations to provide a higher level of security assurance as is deemed necessary.”