Shalini Nagarajan

Blockchain data analytics platform Nansen recently suffered a security incident that exposed some users&#8217; email addresses and passwords.



The breach appears to have originated from a third-party vendor whose system was compromised, allowing an attacker to obtain admin rights to an account used for granting customer access to Nansen.



Nansen CEO Alex Svanevik stated that the company became aware of the attack on Sept. 20. Initial investigations indicate that about 6.8% of its users are affected by the breach.



“These users had their email addresses exposed, a smaller portion also had password hashes exposed, and a last, smallest group also had their blockchain address exposed,” Svanevik <a href="https://twitter.com/nansen_ai/status/1705137387838574904">said</a> in an X post on Friday.



“We have informed our users via email if and how they’ve been affected,” he added.



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">🚨 Important update from us at Nansen. Please take a moment to read this. <a href="https://t.co/syKE0sNnC6">pic.twitter.com/syKE0sNnC6</a>&mdash; Nansen 🧭 (@nansen_ai) <a href="https://twitter.com/nansen_ai/status/1705137387838574904?ref_src=twsrc%5Etfw">September 22, 2023</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



A Nansen spokesperson declined to disclose the name of the vendor, but said it has asked them to communicate on the incident publicly in case others are affected.



Nansen contacted affected users via emails sent from its official support@nansen.ai email address on Sept. 21 between 5 pm and 9 pm UTC, instructing them to reset their passwords.



The team also informed users that while their passwords are not stored in plaintext, malicious attackers could still attempt to gain access to accounts using the compromised password and email address.



Data breaches have become increasingly frequent in the industry of late.



NFT platform OpenSea <a href="https://blockworks.co/news/opensea-warns-of-phishing-attacks-due-to-data-breach">told users about a data breach</a> in June last year when staff discovered that email addresses had been shared with an external party.



Last month, ConsenSys <a href="https://blockworks.co/news/metamask-security-breach-consensys-says">disclosed</a> that about 7,000 MetaMask users had their private information, including email addresses, compromised between Aug. 2021 and Feb. 2023.



Also in August, embattled crypto companies BlockFi and FTX also <a href="https://blockworks.co/news/block-ftx-data-breach-kroll">reported being indirectly impacted</a> by a cybersecurity breach related to third-party claims administration platform Kroll.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Don’t miss the next big story – join our <a href="https://blockworks.co/newsletter?source=end" target="_blank" rel="noreferrer noopener">free daily newsletter</a>.

Nansen alerts users to security breach involving vendor

Sebastian Sinclair

Embattled crypto firms BlockFi and FTX said they have both been indirectly affected by a cybersecurity breach involving third-party claims administration platform Kroll.&nbsp;



BlockFi issued a statement on Wednesday attempting to assuage concerns that its internal systems and funds had not been affected by the breach that had occurred Tuesday. Kroll has reportedly confirmed unauthorized access to certain client data stored on its system.



Kroll is currently serving as the claims agent in the bankruptcy cases of both companies, facilitating the submission and administration of <a href="https://restructuring.ra.kroll.com/blockfi/">debtor claims</a> through <a href="https://restructuring.ra.kroll.com/FTX/EPOC-Index">online portals</a>.&nbsp;



&#8220;To be clear, BlockFi&#8217;s internal systems and client funds were not impacted,&#8221; BlockFi said in its <a href="https://twitter.com/BlockFi/status/1694844414294704547?s=20">statement</a>. “We understand this is frustrating. In the spirit of transparency, we wanted to make our clients aware of this incident before bad actors could utilize this information to clients&#8217; detriment.”



Defunct crypto exchange FTX announced a similar incident, which it said had occurred on Kroll’s platform and that its own system and account passwords had also not been affected.



In a <a href="https://twitter.com/FTX_Official/status/1694899217326608611?s=20">post</a> on X, formerly Twitter, FTX said non-sensitive customer data of claimants had been compromised. Kroll has since taken measures to contain and remediate the incident, per the statement.



“Kroll is notifying affected individuals directly with measures that customers can take to protect themselves,” FTX said.



<a href="https://blockworks.co/tag/ftx">FTX</a> collapsed late last year following allegations it had misappropriated customer funds through sister trading firm Alameda Research. BlockFi simultaneously fell victim to a liquidity crunch following its exposure to FTX through loans made to Alameda as well as funds trapped on FTX.



BlockFi is attempting to <a href="https://blockworks.co/news/blockfi-ftx-3ac-claims-creditor-funds">foil efforts</a> by FTX, as well as former Singapore-based hedge fund firm Three Arrows Capital, over claims to billions of dollars they say are owed to them by the former crypto lender.



Both companies advised clients Thursday to remain vigilant for attempted fraud, phishing attempts and scam emails impersonating parties connected to the security breaches.



<a href="https://blockworks.co/tag/blockfi">BlockFi</a> also warned of an expected uptick in spam phone calls and phishing attempts against other bankrupt crypto firms in the weeks and months ahead.



FTX and BlockFi said they were monitoring the situation. Blockworks attempted to contact Kroll but has so far received no response.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Don’t miss the next big story – join our <a href="https://blockworks.co/newsletter?source=end" target="_blank" rel="noreferrer noopener">free daily newsletter</a>.

BlockFi, FTX downplay data breach involving claims administration platform Kroll

<div id="highlights-block_62e3bbeab713f" class="highlights">
 <ul>
 <li>The same data breach that affected OpenSea has affected Celsius</li>
 <li>Customer.io removed its employee responsible for email leaks</li>
 </ul>
 
</div>



Celsius users — look out for phishing attacks.&nbsp;



The cryptocurrency lender has warned customers that a data breach led to their emails being leaked.



Late Thursday, Celsius emailed users informing them that an employee at its email delivery vendor Customer.io accessed a list of client addresses and sent them to an unauthorized party.



The embattled firm said it didn’t consider the incident to pose “high risks,” and had been informed that no other Celsius-related data was compromised beyond identified email addresses.&nbsp;



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">Announcement from Celsius: “We are writing to let you know that we were recently informed by our vendor<a href="https://t.co/452EROQtbc">https://t.co/452EROQtbc</a> that one of their employees accessed a list of Celsius client email addresses held on their platform and transferred those to a third-party.”&mdash; Celsians (@CelsiansNetwork) <a href="https://twitter.com/CelsiansNetwork/status/1552737193407533057?ref_src=twsrc%5Etfw">July 28, 2022</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



About a month ago, collectibles platform <a href="https://cms.blockworks.co/opensea-warns-of-phishing-attacks-due-to-data-breach/" target="_blank" rel="noreferrer noopener">OpenSea warned users</a> that their email addresses were compromised in a similar leak. Customer.io was responsible for that incident too, since one of its employees abused their access. The vendor <a href="https://customer.io/blog/update-to-compromised-email-addresses-incident/" target="_blank" rel="noreferrer noopener">said</a> that the employee responsible had been terminated, had all access removed and was reported to law enforcement.



Celsius, aware that Customer.io was one of its vendors, said it proceeded to remove data held with the firm after the OpenSea episode. At the time, the vendor found no Celsius data involved in the breach.&nbsp;



But on July 8, Celsius was notified that it too had been affected by the same offender. In a <a href="https://customer.io/blog/update-to-compromised-email-addresses-incident/" target="_blank" rel="noreferrer noopener">statement</a>, Customer.io confirmed five clients apart from OpenSea were impacted by the email leaks. “We do not expect to learn any additional information since this incident resulted from the actions of a single employee, who had legitimate access to these email addresses as part of the employee’s job,” it added.



Celsius customers took to Twitter to express frustration over a stream of trouble they’ve had to face with the lender.&nbsp;



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">Celsius is a total disaster. Leaking a list of customer emails is a nice cherry on top of the bankruptcy sundae. <a href="https://t.co/J9lqUSdhIA">pic.twitter.com/J9lqUSdhIA</a>&mdash; Asher (#361) (@Asher68W) <a href="https://twitter.com/Asher68W/status/1552746070899171328?ref_src=twsrc%5Etfw">July 28, 2022</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



The firm is dealing with restructuring its assets after <a href="https://cms.blockworks.co/celsius-to-file-for-bankruptcy-imminently-report/" target="_blank" rel="noreferrer noopener">filing for bankruptcy</a> on July 13. A court document shows Celsius has $5.5 billion in liabilities and $4.3 billion in assets, leaving it with a <a href="https://cms.blockworks.co/celsius-faces-heat-for-1-2b-balance-sheet-hole-customers-owed-4-7b/" target="_blank" rel="noreferrer noopener">$1.2 billion hole</a> on its balance sheet.



And while Celsius has been quick to downplay the risk to its users, similar data breaches have shown that affected users have actually lost funds due to phishing attacks.&nbsp;



When hardware wallet manufacturer Ledger suffered a <a href="https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach" target="_blank" rel="noreferrer noopener">data leak</a> of its marketing database in July 2020, its users were targeted with devious scams designed to steal their cryptocurrencies.



Shopify, the e-commerce giant that Ledger used to sell its wallets, <a href="https://cointelegraph.com/news/shopify-facing-another-lawsuit-from-crypto-holders-over-ledger-data-breach" target="_blank" rel="noreferrer noopener">also came under attack</a> from users for “repeatedly and profoundly” failing to protect customer identities. Both firms were sued in April after victims lost some of their crypto assets.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Don’t miss the next big story – join our <a href="https://blockworks.co/newsletter?source=end" target="_blank" rel="noreferrer noopener">free daily newsletter</a>.

Celsius Admits Customer Emails Leaked In Third-Party Data Breach

<div id="highlights-block_62bd517a9613f" class="highlights">
 <ul>
 <li>A Customer.io employee shared email addresses with an unauthorized external party</li>
 <li>OpenSea warned users of fraudsters trying to impersonate the platform by using fake domain names</li>
 </ul>
 
</div>



Collectibles platform OpenSea has alerted customers to a data breach after staff found email addresses were shared with an external party.



Head of Security Cory Hardman said in a <a href="https://opensea.io/blog/safety-security/important-update-on-email-vendor-security-incident/" target="_blank" rel="noreferrer noopener">blog</a> post on Wednesday that an employee of <a href="https://customer.io/">Cust</a><a href="https://customer.io/" target="_blank" rel="noreferrer noopener">o</a><a href="https://customer.io/">mer.io</a>, OpenSea’s email delivery vendor, abused their access by downloading and externally sharing customer data.&nbsp;



“If you have shared your email with OpenSea in the past, you should assume you were impacted,” he wrote. “We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”



The company further warned customers might face phishing attacks&nbsp;— attempts by cybercriminals posing as credible institutions with an aim to obtain sensitive information — by using a domain name similar to the official “opensea.io,” such as “opensea.org” or “opensae.io.”



<a href="https://twitter.com/econoar/status/1542343306704732162?s=20&amp;t=Uf4dK_Yi0L8D7GG73hfZ6Q" target="_blank" rel="noreferrer noopener">Screenshots</a> posted to Twitter show OpenSea notified customers about the data breach via email. Some users <a href="https://twitter.com/Didzis68904323/status/1542363159230652416" target="_blank" rel="noreferrer noopener">demanded</a> compensation.



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">OpenSea data breach. <a href="https://t.co/FEtDKsoHje">pic.twitter.com/FEtDKsoHje</a>&mdash; eric.eth (@econoar) <a href="https://twitter.com/econoar/status/1542343306704732162?ref_src=twsrc%5Etfw">June 30, 2022</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



Customer.io told Blockworks that the employee in question has been suspended and had access removed, pending an internal investigation. &#8220;We are working closely with OpenSea and are reviewing exactly how these email addresses were compromised,&#8221; a spokesperson for the vendor company said.



A similar incident occurred in March, when hackers <a href="https://cms.blockworks.co/nydig-blockfi-pantera-circle-all-targeted-in-hubspot-data-breach/" target="_blank" rel="noreferrer noopener">breached</a> third-party marketing vendor HubSpot to target large crypto stakeholders. NYDIG, Pantera Capital, <a href="https://twitter.com/BlockFi/status/1504982848771608586?s=20&amp;t=nEdl35DgSTJHl-INlo8Z_g" target="_blank" rel="noreferrer noopener">BlockFi</a>, Circle and <a href="https://twitter.com/SwanBitcoin/status/1505261139571191813?s=20&amp;t=Cod2RQU8PdmBbXcAxeuF-A" target="_blank" rel="noreferrer noopener">Swan Bitcoin</a> were among the affected companies.



OpenSea found itself in a sea of trouble thanks to another incident prior the data breach. The Department of Justice earlier this month charged its former head of product, Nathaniel Chastain, with <a href="https://cms.blockworks.co/former-opensea-exec-charged-with-nft-insider-trading/" target="_blank" rel="noreferrer noopener">insider trading</a> in connection to non-fungible tokens (NFTs). He was charged with one count of wire fraud and another count of money laundering.



Chastain <a href="https://cms.blockworks.co/openseas-nate-chastain-calls-it-quits-after-insider-trading-allegations/" target="_blank" rel="noreferrer noopener">resigned</a> from his position at OpenSea in September after he was suspected of profiting from inside information and purchasing NFTs before they were posted publicly.



OpenSea remains the leading marketplace by volume by a wide margin, with over six times the sales of the second-largest NFT marketplace over the past 30 days, according to data from <a href="https://dappradar.com/nft/marketplaces" target="_blank" rel="noreferrer noopener">DappRadar</a>.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Don’t miss the next big story – join our <a href="https://blockworks.co/newsletter?source=end" target="_blank" rel="noreferrer noopener">free daily newsletter</a>.

OpenSea Warns of Phishing Attacks Due to Data Breach

Morgan Chittum

<div id="highlights-block_6238b83c95784" class="highlights">
 <ul>
 <li>Around 30 clients were impacted, but the full list has not been released yet from HubSpot, nor is the precise nature of the data known</li>
 <li>Companies known to be affected said customer funds are still safe and secure</li>
 </ul>
 
</div>



In an attempt to target large crypto stakeholders, hackers breached third-party marketing vendor <a href="https://www.hubspot.com/en-us/march-2022-security-incident." target="_blank" rel="noreferrer noopener">HubSpot</a> last week.



NYDIG, Pantera Capital, <a href="https://twitter.com/BlockFi/status/1504982848771608586?s=20&amp;t=nEdl35DgSTJHl-INlo8Z_g" target="_blank" rel="noreferrer noopener">BlockFi</a>, Circle and <a href="https://twitter.com/SwanBitcoin/status/1505261139571191813?s=20&amp;t=Cod2RQU8PdmBbXcAxeuF-A" target="_blank" rel="noreferrer noopener">Swan Bitcoin</a> were among those hit by the data breach, per outreach emails reviewed by Blockworks. Affected companies maintain customer funds are still safe and secure. User information was leaked to hackers, but passwords and other sensitive personal information were not. 



HubSpot — which stores users’ names, email addresses and phone numbers — said that the breach was a “targeted incident focused on customers in the cryptocurrency industry.”



One “bad actor,” according to a spokesperson from HubSpot, had “compromised a HubSpot employee account” to access the information. Around 30 clients were impacted, all of whom have been informed.



“We have terminated access for the compromised HubSpot employee account and removed the ability for other employees to take certain actions in customer accounts,” the Massachusetts-based company said in an email to Blockworks. “We take the privacy of our customers and their data incredibly seriously.”



Adam Healy, chief security officer at BlockFi, said that vendors like HubSpot who are “trusted with client information” are “subjected to a number of reviews.”&nbsp;



“However, even in those cases, vendors can make mistakes and as evidenced by Friday&#8217;s events have incidents that impact us and our clients,” Healy said in a statement sent to Blockworks.&nbsp;



Circle, the financial services firm that issued the dollar-linked stablecoin, said in a statement to Blockworks that financial transaction data was not “impacted by the security incident.”&nbsp;



“We have communicated with the affected parties and will follow up with them on any material developments as we continue to monitor and investigate the incident,” a Circle spokesperson told Blockworks.



<blockquote class="wp-block-quote">“Sensitive personal information, like Social Security numbers or government-issued identification, were not accessed as this information is not stored on HubSpot.”</blockquote>



Pantera Capital said that its HubSpot account had been <a href="https://twitter.com/PanteraCapital/status/1362140521800622080?s=20&amp;t=vQKoYhpK4bHoFjtc9V2KjQ" target="_blank" rel="noreferrer noopener">compromised last month.</a> The crypto VC firm sent out an email on March 19, assuring clients that their funds were still secure. 



Events like the HubSpot hack are “impossible to avoid” but pale in comparison to “traditional companies,” Greg Gopman, chief marketing and business development officer of Web3 infrastructure company Ankr, told Blockworks.



“There’s a good chance that a traditional company would have lost its customers&#8217; funds in such a broad attack,” Gopman said. “But the blockchain is way more secure, and their treasuries weren’t even touched. Decentralized infrastructure protects data.”



The full extent of the HubSpot hack is still unclear, however, because the company hasn&#8217;t disclosed exactly how much data was leaked. The investigation is ongoing.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Don’t miss the next big story – join our <a href="https://blockworks.co/newsletter?source=end" target="_blank" rel="noreferrer noopener">free daily newsletter</a>.