- Usernames, client email addresses, account status, IP addresses were exported
- Dates of birth, bank account numbers, physical addresses, passwords, bitcoin balances, Social Security numbers, IDs, phone numbers not at risk
- Attacker pretended to be a staff member of Unchained, got support to reactivate an account, attack occurred through it
Unchained Capital CEO Joe Kelly wrote in an email to clients and a post on the company website on Wednesday that ActiveCampaign (AC), an external email marketing provider, was hit with a social engineering attack last week. Unchained Capital is a Bitcoin-only financial services provider, CoinDesk reported.
Emails, usernames, account status exported
As the attack occurred on the AC platform, only data shared with AC such as usernames, client email addresses, account status, IP addresses, and whether the client had an active multisignature vault or had received a loan from Unchained Capital, could have been exported without permission.
Unchained’s systems not compromised
There were no leaks of client profile information that Unchained never shared with AC. This includes data like dates of birth, bank account numbers, physical addresses, passwords, bitcoin balances, Social Security numbers, IDs, phone numbers, trading activity, bank account numbers, bitcoin addresses, loan balances, loan statements and vault statements.
The details
The post on Unchained’s website says the attack took place through a live chat tool on AC’s public website, which did not require user authentication. It occurred between 8-9am CST on Thursday, March 10.
The attacker, pretending to be a staff member of Unchained Capital, led an AC support chat representative to reactivate an account of the financial services provider, which they had closed a month ago.
Thereafter, they engineered a second AC support chat representative to add an administrative user with a username and password they provided. This enabled the attacker to gain unauthorized access to the reopened account without a valid email. They then exported the data from a previously closed account.
Unchained Capital go on to write:
Though we had requested this data be deleted, it was not. Unfortunately, we only learned that AC had not deleted this data after discovering the social engineering attack. Within 20 minutes of the attack, an Unchained Capital administrator received emails with the fraudulent chat transcripts and took immediate measures to restrict further access. After the attack was identified, Unchained Capital worked to gather these relevant facts. Ultimately, on Tuesday, March 15, AC confirmed unauthorized access did occur and that the attacker was able to export the data described above.
The company’s CEO warned clients to be aware of what happened and be vigilant against phishing attacks although multisig cold storage protects client bitcoin custody. Kelly stated:
We are deeply sorry this incident occurred as we take our client’s privacy very seriously. We want to reinforce the fact that, due to our collaborative custody model, no such incidents could ever put any client funds at risk.
Contributors
