- Around 30 clients were impacted, but the full list has not been released yet from HubSpot, nor is the precise nature of the data known
- Companies known to be affected said customer funds are still safe and secure
In an attempt to target large crypto stakeholders, hackers breached third-party marketing vendor HubSpot last week.
NYDIG, Pantera Capital, BlockFi, Circle and Swan Bitcoin were among those hit by the data breach, per outreach emails reviewed by Blockworks. Affected companies maintain customer funds are still safe and secure. User information was leaked to hackers, but passwords and other sensitive personal information were not.
HubSpot — which stores users’ names, email addresses and phone numbers — said that the breach was a “targeted incident focused on customers in the cryptocurrency industry.”
One “bad actor,” according to a spokesperson from HubSpot, had “compromised a HubSpot employee account” to access the information. Around 30 clients were impacted, all of whom have been informed.
“We have terminated access for the compromised HubSpot employee account and removed the ability for other employees to take certain actions in customer accounts,” the Massachusetts-based company said in an email to Blockworks. “We take the privacy of our customers and their data incredibly seriously.”
Adam Healy, chief security officer at BlockFi, said that vendors like HubSpot who are “trusted with client information” are “subjected to a number of reviews.”
“However, even in those cases, vendors can make mistakes and as evidenced by Friday’s events have incidents that impact us and our clients,” Healy said in a statement sent to Blockworks.
Circle, the financial services firm that issued the dollar-linked stablecoin, said in a statement to Blockworks that financial transaction data was not “impacted by the security incident.”
“We have communicated with the affected parties and will follow up with them on any material developments as we continue to monitor and investigate the incident,” a Circle spokesperson told Blockworks.
“Sensitive personal information, like Social Security numbers or government-issued identification, were not accessed as this information is not stored on HubSpot.”
Pantera Capital said that its HubSpot account had been compromised last month. The crypto VC firm sent out an email on March 19, assuring clients that their funds were still secure.
Events like the HubSpot hack are “impossible to avoid” but pale in comparison to “traditional companies,” Greg Gopman, chief marketing and business development officer of Web3 infrastructure company Ankr, told Blockworks.
“There’s a good chance that a traditional company would have lost its customers’ funds in such a broad attack,” Gopman said. “But the blockchain is way more secure, and their treasuries weren’t even touched. Decentralized infrastructure protects data.”
The full extent of the HubSpot hack is still unclear, however, because the company hasn’t disclosed exactly how much data was leaked. The investigation is ongoing.