Circle HubSpot Data Breach: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Initial 30 minutes completed.)
(Another 30 minutes complete.)
Line 1: Line 1:
{{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/circlehubspotdatabreach.php}}[[File:Circle.jpg|thumb|Circle]]Circle is one of the most well-known companies, a key backer of the USDC stablecoin. They were reportedly among those companies affected by the Hubspot data breach. They let customers know by email and also issued some public statements. There have been no specific reports of Circle clients or customers being targeted subsequently.
{{Case Study Under Construction}}[[File:Circle.jpg|thumb|Circle]]Circle is one of the most well-known companies, a key backer of the USDC stablecoin. They were reportedly among those companies affected by the Hubspot data breach. They let customers know by email and also issued some public statements. There have been no specific reports of Circle clients or customers being targeted subsequently.


== About Circle ==
== About Circle ==
<ref name="circle-8622" /><ref name="circle-8623" />
Circle is a global financial technology company that aims to create a more inclusive and efficient financial future<ref name="circle-8623" /> headquartered in Boston, Massachusetts, known for managing the stablecoin USDC<ref name=":2">[[wikipedia:Circle_(company)|Circle (company) - Wikipedia]] (Jun 27, 2023)</ref>. Founded in 2013 by Jeremy Allaire and Sean Neville, Circle initially focused on peer-to-peer payments technology<ref name=":2" />. Circle aims to create a financially inclusive future by transforming the way money moves and promoting economic growth<ref name="circle-8622" />. Circle's infrastructure offers enterprise-grade digital currencies, providing faster payments, smarter asset management, enhanced liquidity, and tools for developers to build on blockchain<ref name="circle-8622" />. They facilitate the frictionless exchange of value through digital currency innovation<ref name="circle-8623" />.


"Circle is a global financial technology firm that’s at the center of digital currency innovation and open financial infrastructure. We bridge the traditional financial system and the world’s leading public blockchains to unlock growth for businesses and investors around the world."
USDC is the second-largest stablecoin globally and is designed to maintain a stable value of $1, backed by a majority of short-term U.S. government securities<ref name=":2" />. USDC, a digital currency, is revolutionizing the global financial system by providing instant, low-cost transactions to a wider audience<ref name="circle-8622" />. It offers settlement in minutes, near-zero cost transactions, and operates 24/7, making money more accessible<ref name="circle-8622" />. Trusted by global leaders such as BlackRock, Visa, and Mastercard, USDC empowers businesses and builders worldwide to move money in innovative ways<ref name="circle-8622" />. With over $10 trillion in transactions across 190+ countries, USDC is being recognized for its impact<ref name="circle-8622" />. Visa's Head of Crypto, Cuy Sheffield, believes in the importance of evolving payment networks to accommodate new forms of money securely<ref name="circle-8622" />. The Treasurer of UNHCR, Carmen Hett, sees the potential for digital assets like USDC to deliver humanitarian assistance quickly and transparently<ref name="circle-8622" />. Anatoly Yakovenko, the CEO at Solana Labs, praises USDC for facilitating instant, global, and sustainable payment rails<ref name="circle-8622" />. Lisa Nestor, Chief Strategy Officer at Airtm, highlights how USDC enables millions of people to access stable money for earning opportunities<ref name="circle-8622" />.


"Most individuals don’t understand the power of a CRM. At minimum, these tools allow companies to acquire, sort and manage incoming customers (and their data) in a way that provides the best user experience. At maximum, these tools are capable of an extreme degree of web monitoring and AI-based user segmentation and prediction."
Circle values transparency, stability, and responsible practices, welcoming clear regulation and engaging with regulators and policymakers<ref name="circle-8623" />. They partner with leading financial companies and provide detailed reports on the backing of their stablecoins, promoting a more stable future for cryptocurrencies<ref name="circle-8623" />. Circle's leadership team consists of experienced individuals from diverse backgrounds, ensuring sustainable growth and innovation<ref name="circle-8623" />. Their board of directors includes members from influential companies such as IDG, General Catalyst, Ernst & Young, and Goldman Sachs, contributing to stability and growth in the new economy<ref name="circle-8623" />. Circle offers Circle Accounts, which provide access to stablecoins and various solutions for payments, treasury, and liquidity, allowing businesses to expand and thrive<ref name="circle-8623" />.


"Multiple Web3 and crypto companies have been affected by a data breach at HubSpot, a marketing and sales platform that stores customer information."
The company has received significant venture capital funding, including a $50 million investment led by Goldman Sachs in 2015<ref name=":2" />. In 2018, Circle partnered with Coinbase to create USDC<ref name=":2" />. Circle Pay, the company's mobile payment platform, allowed users to hold, send, and receive traditional fiat currencies but was discontinued in 2019<ref name=":2" />. Circle acquired the Poloniex cryptocurrency exchange in 2018 but later spun it out, and Justin Sun, founder of Tron, led its acquisition<ref name=":2" />. Circle has licenses in multiple U.S. states and has received a Major Payment Institution license from the Monetary Authority of Singapore. The company has faced criticism for its business practices<ref name=":2" />.


== About HubSpot ==
== About HubSpot ==
<ref name="hubspotlegal-86162">[https://legal.hubspot.com/security HubSpot Security Program] (Jul 20, 2022)</ref>
HubSpot is a CRM platform offering a suite of software, integrations, and resources to connect marketing, sales, content management, and customer service<ref name=":0">[https://www.hubspot.com/ HubSpot Homepage] (Jun 27, 2023)</ref>. The platform consists of products that can be used individually or together to achieve optimal results<ref name=":0" />. The Marketing Hub helps with traffic growth, lead generation, marketing automation, and analytics<ref name=":0" />. The Sales Hub provides insights into prospects, automates tasks, and facilitates deal closures<ref name=":0" />. The Service Hub focuses on customer service, connecting with customers, and turning them into promoters<ref name=":0" />. The CMS Hub offers flexible content management for marketers and powerful features for developers<ref name=":0" />. The Operations Hub synchronizes applications, cleans and curates customer data, and automates processes<ref name=":0" />.


HubSpot was founded in 2006 by Brian Halligan and Dharmesh Shah at MIT<ref name=":1">[[wikipedia:HubSpot|HubSpot - Wikipedia]] (Jun 27, 2023)</ref>. The company experienced significant revenue growth, from $255,000 in 2007 to $15.6 million in 2010<ref name=":1" />. They expanded their offerings by acquiring Oneforty, a Twitter app store, and introducing personalized website software<ref name=":1" />. Initially targeting small businesses, HubSpot later served larger companies up to 1000 employees<ref name=":1" />. In 2014, they filed for an IPO and raised over $140 million<ref name=":1" />. HubSpot's stock has performed well, reaching a peak of $841.26 in 2021<ref name=":1" />. They made strategic acquisitions, including Kemvi in 2017 and The Hustle, a content and email newsletter company, in 2021. Yamini Rangan became the CEO in September 2021, while Brian Halligan transitioned to Executive Chairman<ref name=":1" />.


"On March 15, a bad actor conducted a social engineering attack against a HubSpot employee that captured the employee’s credentials and persuaded the employee to provide the necessary multi-factor authentication. Between March 15 and March 17, the bad actor conducted reconnaissance within HubSpot’s internal systems. On March 17 and March 18, the bad actor exported contact data and user data from certain HubSpot customer accounts via an internal support tool called just-in-time-access (or JITA)."
HubSpot emphasizes the importance of security, privacy, and control in its products<ref name="hubspotlegal-86162">[https://legal.hubspot.com/security HubSpot Security Program - Hubspot Website] (Jul 20, 2022)</ref>. It offers a comprehensive approach to data security, privacy, and control, providing tools that empower teams to achieve compliance and a secure infrastructure to protect data<ref name="hubspotlegal-86162" />. HubSpot is trusted by over 121,000 customers in more than 120 countries, including notable organizations such as KPMG, WWF, GoFundMe, Cybereason, LegalZoom, and CancerIQ<ref name="hubspotlegal-86162" />. The company takes a proactive approach to privacy and security, ensuring that its products meet established standards<ref name="hubspotlegal-86162" />. HubSpot follows a defense-in-depth approach, implementing multiple layers of security throughout the organization<ref name="hubspotlegal-86162" />. It complies with industry best practices, such as the OWASP Top 10 and the CIS Critical Security Controls, to continuously improve its security program. HubSpot prioritizes data privacy, ensuring that customer data is protected and used only as permitted in its Customer Terms of Service and Privacy Policy<ref name="hubspotlegal-86162" />. It offers features like GDPR compliance tools, customizable consent tracking, and subscription settings to help customers comply with data privacy regulations<ref name="hubspotlegal-86162" />. HubSpot's CRM platform is built on secure software development processes and includes features like SSL certificates, single sign-on, two-factor authentication, and password protection for enhanced security<ref name="hubspotlegal-86162" />. Customers can access resources like GDPR compliance information, privacy policy details, legal documentation, and security reports through HubSpot's Trust Center<ref name="hubspotlegal-86162" />. The company also addresses frequently asked questions about its infrastructure, regional data hosting, certifications, encryption, and other security measures<ref name="hubspotlegal-86162" />. Overall, HubSpot provides software that is secure, reliable, and designed to scale with businesses<ref name="hubspotlegal-86162" />.


"HubSpot said on Saturday (19 March) that it became aware of a compromised employee account the previous day. The company believes data was exported from around 30 of its clients, “all of whom have been notified”."
HubSpot's CMO predicts that AI will revolutionize business in the future<ref name=":02">[https://www.hubspot.com/ HubSpot Homepage] (Jun 27, 2023)</ref>. HubSpot supports its users with free courses, certifications, resources, and a dedicated customer support team<ref name=":02" />. It also has a thriving user community, user groups, blogs, and an app marketplace with numerous integrations<ref name=":02" />.


"The breach has rippled through the crypto industry: As of Monday, crypto lending platform BlockFi, bitcoin-purchasing automation platform Swan Bitcoin, bitcoin company NYDIG, peer-to-peer payments technology company Circle and cryptocurrency fund Pantera Capital (which was hit a month prior) had been affected."
== The Reality ==
Some employees of HubSpot have access to HubSpot accounts. This access is intended to be used to assist customers<ref name="threatpost-8170" />. Users should be aware that it often includes the past behavioural history of individual users. Such information is highly valuable in creating an effective social engineering attack<ref name="threatpost-8170" />. While security reviews happen, mistakes can be made<ref name="blockworks-8621" />.<blockquote>“While it is true that financial data is not stored in the CRM, you should be aware that data associated with the users of these companies and their behaviors is logged in the CRM. This puts users in a unique position to be targeted in social engineering attacks.


"Adam Healy, chief security officer at BlockFi, said that vendors like HubSpot who are “trusted with client information” are “subjected to a number of reviews.”"
- HubSpot super admin Robert Warren</blockquote><blockquote>[Vendors like HubSpot who are] trusted with client information [are] subjected to a number of reviews.


"“However, even in those cases, vendors can make mistakes and as evidenced by Friday’s events have incidents that impact us and our clients,” Healy said in a statement sent to Blockworks."
However, even in those cases, vendors can make mistakes and as evidenced by Friday’s events have incidents that impact us and our clients,


 
- Adam Healy, chief security officer at BlockFi</blockquote>
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
 
Include:
 
* Known history of when and how the service was started.
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.
 
Don't Include:
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
 
== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
 
* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.


== What Happened ==
== What Happened ==
Line 102: Line 80:
|ThreatPost publishes an article on the situation. They report that HubSpot, a marketing platform used by over 135,000 customers, suffered a data breach due to a rogue employee who targeted the company's cryptocurrency customers. At least 30 crypto firms were affected, including BlockFi, Swan Bitcoin, Circle, and NYDIG. The stolen data included contact data, names, emails, account types, phone numbers, and in some cases, company names. While there was no loss of sensitive financial or personal data, such as Social Security numbers or tax IDs, there was the inclusion of a "limited historical snapshot of USD deposits" and about 1.2% of the dataset included clients' intended investment areas or the median net worth of their approximate geographic locales<ref name="threatpost-81702">[https://threatpost.com/hubspot-data-breach-crytocurrency-industry/179086/ HubSpot Data Breach Ripples Through Crytocurrency Industry - Threatpost] (Jun 20, 2022)</ref>.
|ThreatPost publishes an article on the situation. They report that HubSpot, a marketing platform used by over 135,000 customers, suffered a data breach due to a rogue employee who targeted the company's cryptocurrency customers. At least 30 crypto firms were affected, including BlockFi, Swan Bitcoin, Circle, and NYDIG. The stolen data included contact data, names, emails, account types, phone numbers, and in some cases, company names. While there was no loss of sensitive financial or personal data, such as Social Security numbers or tax IDs, there was the inclusion of a "limited historical snapshot of USD deposits" and about 1.2% of the dataset included clients' intended investment areas or the median net worth of their approximate geographic locales<ref name="threatpost-81702">[https://threatpost.com/hubspot-data-breach-crytocurrency-industry/179086/ HubSpot Data Breach Ripples Through Crytocurrency Industry - Threatpost] (Jun 20, 2022)</ref>.
|}
|}
== Technical Details ==
"On March 15, a bad actor conducted a social engineering attack against a HubSpot employee that captured the employee’s credentials and persuaded the employee to provide the necessary multi-factor authentication. Between March 15 and March 17, the bad actor conducted reconnaissance within HubSpot’s internal systems. On March 17 and March 18, the bad actor exported contact data and user data from certain HubSpot customer accounts via an internal support tool called just-in-time-access (or JITA)."
"HubSpot said on Saturday (19 March) that it became aware of a compromised employee account the previous day. The company believes data was exported from around 30 of its clients, “all of whom have been notified”."


== Total Amount Lost ==
== Total Amount Lost ==
Line 110: Line 93:
== Immediate Reactions ==
== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
"The breach has rippled through the crypto industry: As of Monday, crypto lending platform BlockFi, bitcoin-purchasing automation platform Swan Bitcoin, bitcoin company NYDIG, peer-to-peer payments technology company Circle and cryptocurrency fund Pantera Capital (which was hit a month prior) had been affected."
"Adam Healy, chief security officer at BlockFi, said that vendors like HubSpot who are “trusted with client information” are “subjected to a number of reviews.”"
"“However, even in those cases, vendors can make mistakes and as evidenced by Friday’s events have incidents that impact us and our clients,” Healy said in a statement sent to Blockworks."


=== Circle Email To Affected Users ===
=== Circle Email To Affected Users ===
Line 151: Line 141:
== Ongoing Developments ==
== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
What parts of this case are still remaining to be concluded?
=== Many Companies Not Disclosing Breach ===
According to Swan Bitcoin CEO Cory Klippsten reported that HubSpot had indicated "around 30 crypto companies [were affected by] the hack"<ref name="coryklippstentwitter-8618" />. The only companies which appear to have reported the breach so far are Swan Bitcoin, BlockFi, NYDIG, and Circle. (Pantera Capital suffered a separate HubSpot breach a year prior, and was not part of this incident.)
== General Prevention Policies ==
== General Prevention Policies ==
Privacy-conscious customers can set up separate email addresses for each service easily, and avoid providing their phone number when possible. Any received emails must be viewed with scrutiny. Interact with companies only through their official websites and confirm anything with the company directly if it promises a significant reward or threatens access to your funds.
Privacy-conscious customers can set up separate email addresses for each service easily, and avoid providing their phone number when possible. Any received emails must be viewed with scrutiny. Interact with companies only through their official websites and confirm anything with the company directly if it promises a significant reward or threatens access to your funds.
Line 172: Line 165:
== References ==
== References ==
<references>
<references>
<ref name="threatpost-8170">[https://threatpost.com/hubspot-data-breach-crytocurrency-industry/179086/ HubSpot Data Breach Ripples Through Crytocurrency Industry | Threatpost] (Jun 20, 2022)</ref>
<ref name="threatpost-8170">[https://threatpost.com/hubspot-data-breach-crytocurrency-industry/179086/ HubSpot Data Breach Ripples Through Crytocurrency Industry - Threatpost] (Jun 20, 2022)</ref>
<ref name="circle-8622">[https://www.circle.com/en/ Circle | USDC, Payments & Treasury Infrastructure for Businesses] (Jul 14, 2022)</ref>
<ref name="circle-8622">[https://www.circle.com/en/ Circle - USDC, Payments & Treasury Infrastructure for Businesses Homepage] (Jul 14, 2022)</ref>
<ref name="circle-8623">[https://www.circle.com/en/about-circle Circle | USDC, Payments & Treasury Infrastructure for Business] (Jul 14, 2022)</ref>
<ref name="circle-8623">[https://www.circle.com/en/about-circle About Circle - USDC, Payments & Treasury Infrastructure for Business Homepage] (Jul 14, 2022)</ref>
<ref name="siliconrepublic-8176">[https://www.siliconrepublic.com/enterprise/hubspot-data-breach-crypto-web3-bitcoin HubSpot hack leads to multiple Web3 and crypto company data breaches] (Jun 26, 2022)</ref>
<ref name="siliconrepublic-8176">[https://www.siliconrepublic.com/enterprise/hubspot-data-breach-crypto-web3-bitcoin HubSpot hack leads to multiple Web3 and crypto company data breaches] (Jun 26, 2022)</ref>
<ref name="hubspot-8171">[https://www.hubspot.com/en-us/march-2022-security-incident Information About HubSpot's March 18, 2022 Security Incident] (Jun 26, 2022)</ref>
<ref name="hubspot-8171">[https://www.hubspot.com/en-us/march-2022-security-incident Information About HubSpot's March 18, 2022 Security Incident] (Jun 26, 2022)</ref>
<ref name="hubspot-8615">[https://ir.hubspot.com/news/hubspots-statement-regarding-march-18-2022-security-incident HubSpot's Statement Regarding March 18, 2022 Security Incident] (Jul 20, 2022)</ref>
<ref name="hubspot-8615">[https://ir.hubspot.com/news/hubspots-statement-regarding-march-18-2022-security-incident HubSpot's Statement Regarding March 18, 2022 Security Incident] (Jul 20, 2022)</ref>
<ref name="hubspotlegal-8616">[https://legal.hubspot.com/security HubSpot Security Program] (Jul 20, 2022)</ref>
<ref name="hubspotlegal-8616">[https://legal.hubspot.com/security HubSpot Security Program] (Jul 20, 2022)</ref>
<ref name="coryklippstentwitter-8618">[https://twitter.com/coryklippsten/status/1505950666023268354 @coryklippsten Twitter] (Jul 20, 2022)</ref>
<ref name="coryklippstentwitter-8618">[https://twitter.com/coryklippsten/status/1505950666023268354 Cory Klippsten - "Hubspot says it's around 30 crypto companies in the hack.  Fewer than 10 have divulged so far." - Twitter] (Jul 20, 2022)</ref>
<ref name="blockworks-8621">[https://blockworks.co/nydig-blockfi-pantera-circle-all-targeted-in-hubspot-data-breach/ NYDIG, BlockFi, Pantera, Circle All ‘Targeted’ in HubSpot Data Breach] (Jul 20, 2022)</ref>
<ref name="blockworks-8621">[https://blockworks.co/nydig-blockfi-pantera-circle-all-targeted-in-hubspot-data-breach/ NYDIG, BlockFi, Pantera, Circle All ‘Targeted’ in HubSpot Data Breach - Blockworks] (Jul 20, 2022)</ref>
<ref name="crowdfundinsider-8624">[https://www.crowdfundinsider.com/2022/03/188659-circle-reports-security-incident-information-breach-via-hubspot/ Circle Reports Security Incident, Information Breach via HubSpot - CrowdFundInsider] (Jul 20, 2022)</ref>
<ref name="crowdfundinsider-8624">[https://www.crowdfundinsider.com/2022/03/188659-circle-reports-security-incident-information-breach-via-hubspot/ Circle Reports Security Incident, Information Breach via HubSpot - CrowdFundInsider] (Jul 20, 2022)</ref>
<ref name="benzinga-8625">[https://www.benzinga.com/markets/cryptocurrency/22/03/26224678/circle-warns-its-users-of-potential-cyberattacks-heres-what-to-expect Circle Warns Its Users Of Potential Cyberattacks: Here's What To Expect - Benzinga] (Jul 20, 2022)</ref>
<ref name="benzinga-8625">[https://www.benzinga.com/markets/cryptocurrency/22/03/26224678/circle-warns-its-users-of-potential-cyberattacks-heres-what-to-expect Circle Warns Its Users Of Potential Cyberattacks: Here's What To Expect - Benzinga] (Jul 20, 2022)</ref>
</references>
</references>

Revision as of 10:46, 28 June 2023

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Circle

Circle is one of the most well-known companies, a key backer of the USDC stablecoin. They were reportedly among those companies affected by the Hubspot data breach. They let customers know by email and also issued some public statements. There have been no specific reports of Circle clients or customers being targeted subsequently.

About Circle

Circle is a global financial technology company that aims to create a more inclusive and efficient financial future[1] headquartered in Boston, Massachusetts, known for managing the stablecoin USDC[2]. Founded in 2013 by Jeremy Allaire and Sean Neville, Circle initially focused on peer-to-peer payments technology[2]. Circle aims to create a financially inclusive future by transforming the way money moves and promoting economic growth[3]. Circle's infrastructure offers enterprise-grade digital currencies, providing faster payments, smarter asset management, enhanced liquidity, and tools for developers to build on blockchain[3]. They facilitate the frictionless exchange of value through digital currency innovation[1].

USDC is the second-largest stablecoin globally and is designed to maintain a stable value of $1, backed by a majority of short-term U.S. government securities[2]. USDC, a digital currency, is revolutionizing the global financial system by providing instant, low-cost transactions to a wider audience[3]. It offers settlement in minutes, near-zero cost transactions, and operates 24/7, making money more accessible[3]. Trusted by global leaders such as BlackRock, Visa, and Mastercard, USDC empowers businesses and builders worldwide to move money in innovative ways[3]. With over $10 trillion in transactions across 190+ countries, USDC is being recognized for its impact[3]. Visa's Head of Crypto, Cuy Sheffield, believes in the importance of evolving payment networks to accommodate new forms of money securely[3]. The Treasurer of UNHCR, Carmen Hett, sees the potential for digital assets like USDC to deliver humanitarian assistance quickly and transparently[3]. Anatoly Yakovenko, the CEO at Solana Labs, praises USDC for facilitating instant, global, and sustainable payment rails[3]. Lisa Nestor, Chief Strategy Officer at Airtm, highlights how USDC enables millions of people to access stable money for earning opportunities[3].

Circle values transparency, stability, and responsible practices, welcoming clear regulation and engaging with regulators and policymakers[1]. They partner with leading financial companies and provide detailed reports on the backing of their stablecoins, promoting a more stable future for cryptocurrencies[1]. Circle's leadership team consists of experienced individuals from diverse backgrounds, ensuring sustainable growth and innovation[1]. Their board of directors includes members from influential companies such as IDG, General Catalyst, Ernst & Young, and Goldman Sachs, contributing to stability and growth in the new economy[1]. Circle offers Circle Accounts, which provide access to stablecoins and various solutions for payments, treasury, and liquidity, allowing businesses to expand and thrive[1].

The company has received significant venture capital funding, including a $50 million investment led by Goldman Sachs in 2015[2]. In 2018, Circle partnered with Coinbase to create USDC[2]. Circle Pay, the company's mobile payment platform, allowed users to hold, send, and receive traditional fiat currencies but was discontinued in 2019[2]. Circle acquired the Poloniex cryptocurrency exchange in 2018 but later spun it out, and Justin Sun, founder of Tron, led its acquisition[2]. Circle has licenses in multiple U.S. states and has received a Major Payment Institution license from the Monetary Authority of Singapore. The company has faced criticism for its business practices[2].

About HubSpot

HubSpot is a CRM platform offering a suite of software, integrations, and resources to connect marketing, sales, content management, and customer service[4]. The platform consists of products that can be used individually or together to achieve optimal results[4]. The Marketing Hub helps with traffic growth, lead generation, marketing automation, and analytics[4]. The Sales Hub provides insights into prospects, automates tasks, and facilitates deal closures[4]. The Service Hub focuses on customer service, connecting with customers, and turning them into promoters[4]. The CMS Hub offers flexible content management for marketers and powerful features for developers[4]. The Operations Hub synchronizes applications, cleans and curates customer data, and automates processes[4].

HubSpot was founded in 2006 by Brian Halligan and Dharmesh Shah at MIT[5]. The company experienced significant revenue growth, from $255,000 in 2007 to $15.6 million in 2010[5]. They expanded their offerings by acquiring Oneforty, a Twitter app store, and introducing personalized website software[5]. Initially targeting small businesses, HubSpot later served larger companies up to 1000 employees[5]. In 2014, they filed for an IPO and raised over $140 million[5]. HubSpot's stock has performed well, reaching a peak of $841.26 in 2021[5]. They made strategic acquisitions, including Kemvi in 2017 and The Hustle, a content and email newsletter company, in 2021. Yamini Rangan became the CEO in September 2021, while Brian Halligan transitioned to Executive Chairman[5].

HubSpot emphasizes the importance of security, privacy, and control in its products[6]. It offers a comprehensive approach to data security, privacy, and control, providing tools that empower teams to achieve compliance and a secure infrastructure to protect data[6]. HubSpot is trusted by over 121,000 customers in more than 120 countries, including notable organizations such as KPMG, WWF, GoFundMe, Cybereason, LegalZoom, and CancerIQ[6]. The company takes a proactive approach to privacy and security, ensuring that its products meet established standards[6]. HubSpot follows a defense-in-depth approach, implementing multiple layers of security throughout the organization[6]. It complies with industry best practices, such as the OWASP Top 10 and the CIS Critical Security Controls, to continuously improve its security program. HubSpot prioritizes data privacy, ensuring that customer data is protected and used only as permitted in its Customer Terms of Service and Privacy Policy[6]. It offers features like GDPR compliance tools, customizable consent tracking, and subscription settings to help customers comply with data privacy regulations[6]. HubSpot's CRM platform is built on secure software development processes and includes features like SSL certificates, single sign-on, two-factor authentication, and password protection for enhanced security[6]. Customers can access resources like GDPR compliance information, privacy policy details, legal documentation, and security reports through HubSpot's Trust Center[6]. The company also addresses frequently asked questions about its infrastructure, regional data hosting, certifications, encryption, and other security measures[6]. Overall, HubSpot provides software that is secure, reliable, and designed to scale with businesses[6].

HubSpot's CMO predicts that AI will revolutionize business in the future[7]. HubSpot supports its users with free courses, certifications, resources, and a dedicated customer support team[7]. It also has a thriving user community, user groups, blogs, and an app marketplace with numerous integrations[7].

The Reality

Some employees of HubSpot have access to HubSpot accounts. This access is intended to be used to assist customers[8]. Users should be aware that it often includes the past behavioural history of individual users. Such information is highly valuable in creating an effective social engineering attack[8]. While security reviews happen, mistakes can be made[9].

“While it is true that financial data is not stored in the CRM, you should be aware that data associated with the users of these companies and their behaviors is logged in the CRM. This puts users in a unique position to be targeted in social engineering attacks.” - HubSpot super admin Robert Warren

[Vendors like HubSpot who are] trusted with client information [are] subjected to a number of reviews.

However, even in those cases, vendors can make mistakes and as evidenced by Friday’s events have incidents that impact us and our clients,

- Adam Healy, chief security officer at BlockFi

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Circle HubSpot Data Breach
Date Event Description
March 15th, 2022 Social Engineering Attack On March 15th, at an unspecified time, a HubSpot employee fell victim to a social engineering attack which persuaded the employee to provide the necessary credentials and multi-factor authentication[10].
March 17th, 2022 Client Data Exported It is reported by Hubspot that contact data and user data was exported on March 17th and March 18th through an internal support tool called "just-in-time access" (or JITA)[10].
March 18th, 2023 7:00:00 AM MDT Hubspot Realized Breach HubSpot reports they first "became aware of this unauthorized activity. [They] took prompt action to shut down the bad actor’s access and investigate its impact."[10]
March 19th, 2022 Hubspot Issues Press Release FAQ According to HubSpot's website, they published the statement and FAQ on March 19th. (No time is provided and the page was not captured by archive until the following day.) The state that "[o]n March 18, a bad actor compromised a HubSpot employee account and used it to access data within fewer than 30 HubSpot accounts."[11][12] Hubspot also set up a public FAQ page on their website to provide more information. They report the breach exporting contact data from fewer than 30 HubSpot portals, all of which have been notified. HubSpot believes the incident to be targeted at customers in the cryptocurrency industry and has taken measures to terminate access for the compromised employee account and prevent other employees from taking certain actions in customer accounts. Customers who have been impacted by the breach should contact their respective companies for information about what data was shared and any necessary steps they need to take[10][13].
March 21st, 2022 8:16:00 AM MDT CrowdFundInsider Reports on Breach According to an email distributed by Circle, HubSpot has “confirmed that an unauthorized bad actor accessed certain client data from several companies, including Circle, housed on their platform after a HubSpot employee account was compromised.” Circle notes that their internal systems were not impacted and personal information like a social security number or government ID information was not accessed. Circle adds that KYC and financial information were not stolen either[14][15].
March 21st, 2022 8:17:00 AM MDT CoinDesk Article Published CoinDesk publishes an article on the incident[16]. They report that a data breach at third-party marketing vendor HubSpot has impacted BlockFi, Swan Bitcoin, NYDIG, and Circle, among others, who maintain their customers' funds are still safe and secure. While user information was leaked to hackers, the affected companies said passwords and other internal information were not affected. HubSpot has not disclosed the full extent of the breach, and an investigation is ongoing. This is copied to Yahoo Finance[17].
March 21st, 2022 10:53:00 AM MDT Cory Klippsten Criticism Swan Bitcoin CEO Cory Klippsten criticizes the industry since close to 30 companies appear to have been breached and fewer than 10 have disclosed it publicly. He announces that his company is severing relations[18].
March 21st, 2022 11:38:00 AM MDT Benzinga Article Published Benzinga publishes an article on the Circle data breach. "The hacked data concerns aspects of browsing activity and interest in the company's products and account manager's name (only when applicable) — but only of those users who opted in to receiving marketing communications from the stablecoin operator." The company wrote: "Phishing may be done using email, phone calls, voicemail or text messages. In each case, the goal is to lure you into revealing confidential information such as bank account numbers, credit card information, Social Security numbers or passwords."[19][20]
March 21st, 2022 11:57:00 AM MDT Blockworks Article Published Blockworks publishes an article on the situation. They reported multiple crypto companies were affected including NYDIG, Pantera Capital, BlockFi, Circle and Swan Bitcoin. They report that Pantera Capital was breached a month earlier, and reference a Tweet from a breach a year and a month ago. The data breach saw user information leaked to hackers, but not passwords or sensitive personal information. It is believed to have been a “targeted incident focused on customers in the cryptocurrency industry”. Affected companies maintain customer funds are still safe and secure, and are monitoring the situation closely. The full extent of the HubSpot hack is still unknown and the investigation is reportedly still ongoing[21].
March 22nd, 2022 3:10:55 AM MDT Silicon Republic Article Silicon Republic reports that cryptocurrency companies, including Swan Bitcoin, BlockFi, NYDIG, Pantera Capital, and Circle, were among the 30 affected by a data breach at marketing and sales platform HubSpot. The company confirmed that a “bad actor” compromised an employee account and exported contact data from a small number of customer accounts. While it is unclear what the attacker planned to do with the information, phishing emails have been reported attempting to trick users into submitting their passwords into a fake company website[22][23].
March 24th, 2022 11:11:00 AM MDT ThreatPost Article Published ThreatPost publishes an article on the situation. They report that HubSpot, a marketing platform used by over 135,000 customers, suffered a data breach due to a rogue employee who targeted the company's cryptocurrency customers. At least 30 crypto firms were affected, including BlockFi, Swan Bitcoin, Circle, and NYDIG. The stolen data included contact data, names, emails, account types, phone numbers, and in some cases, company names. While there was no loss of sensitive financial or personal data, such as Social Security numbers or tax IDs, there was the inclusion of a "limited historical snapshot of USD deposits" and about 1.2% of the dataset included clients' intended investment areas or the median net worth of their approximate geographic locales[24].

Technical Details

"On March 15, a bad actor conducted a social engineering attack against a HubSpot employee that captured the employee’s credentials and persuaded the employee to provide the necessary multi-factor authentication. Between March 15 and March 17, the bad actor conducted reconnaissance within HubSpot’s internal systems. On March 17 and March 18, the bad actor exported contact data and user data from certain HubSpot customer accounts via an internal support tool called just-in-time-access (or JITA)."

"HubSpot said on Saturday (19 March) that it became aware of a compromised employee account the previous day. The company believes data was exported from around 30 of its clients, “all of whom have been notified”."

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


"The breach has rippled through the crypto industry: As of Monday, crypto lending platform BlockFi, bitcoin-purchasing automation platform Swan Bitcoin, bitcoin company NYDIG, peer-to-peer payments technology company Circle and cryptocurrency fund Pantera Capital (which was hit a month prior) had been affected."

"Adam Healy, chief security officer at BlockFi, said that vendors like HubSpot who are “trusted with client information” are “subjected to a number of reviews.”"

"“However, even in those cases, vendors can make mistakes and as evidenced by Friday’s events have incidents that impact us and our clients,” Healy said in a statement sent to Blockworks."

Circle Email To Affected Users

Circle distributed an email to customers[14]. TBD need to find full email.

confirmed that an unauthorized bad actor accessed certain client data from several companies, including Circle, housed on their platform after a HubSpot employee account was compromised. We are notifying you so that you can take actions to protect yourself. We encourage you to monitor your accounts on a regular basis, use strong passwords and remain vigilant against phishing attempts and other suspicious activity. Phishing may be done using email, phone calls, voicemail, or text messages. In each case, the goal is to lure you into revealing confidential information such as bank account numbers, credit card information, Social Security numbers or passwords.


"Circle, the financial services firm that issued the dollar-linked stablecoin, said in a statement to Blockworks that financial transaction data was not “impacted by the security incident.”"

"Circle declared in a recent statement that the breach of a HubSpot employee account resulted in bad actors obtaining the contact information. The hacked data concerns aspects of browsing activity and interest in the company's products and account manager's name (only when applicable) — but only of those users who opted in to receiving marketing communications from the stablecoin operator."

"According to an email distributed by Circle, HubSpot has “confirmed that an unauthorized bad actor accessed certain client data from several companies, including Circle, housed on their platform after a HubSpot employee account was compromised.”"

"“We have communicated with the affected parties and will follow up with them on any material developments as we continue to monitor and investigate the incident,” a Circle spokesperson told Blockworks."

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

"The investigation of the bad actor’s activity confirmed that this was a targeted attack focused on customers in the cryptocurrency industry. There was no evidence of suspicious activity within targeted customer accounts after March 18, 2022."

"While it is unclear what the attacker planned to do with this information, Coindesk reported that some users saw an uptick in phishing emails over the weekend, attempting to lure them into putting their passwords into a fake company website."

"Circle tells prospective users: “We are notifying you so that you can take actions to protect yourself. We encourage you to monitor your accounts on a regular basis, use strong passwords and remain vigilant against phishing attempts and other suspicious activity. Phishing may be done using email, phone calls, voicemail, or text messages. In each case, the goal is to lure you into revealing confidential information such as bank account numbers, credit card information, Social Security numbers or passwords.”"

"[The] rogue employee working at HubSpot – used by more than 135,000 (and growing) customers to manage marketing campaigns and on-board new users – has been fired over a breach that zeroed in on the company’s cryptocurrency customers, the company confirmed on Friday."

"A full list of the affected clients has not been published, but [HubSpot] said it appeared to be a “targeted incident focused on customers in the cryptocurrency industry”."

"Since the incident, we have taken steps to enhance our security and to prevent a similar attack from occurring in the future. While our investigation has concluded and remediation completed, we remain committed to improving our security through regular assessments and testing."

"Hubspot says it's around 30 crypto companies in the hack. Fewer than 10 have divulged so far."

Hubspot reported upgrading security on their FAQ[10]:

Since the incident, we have taken steps to enhance our security and to prevent a similar attack from occurring in the future. While our investigation has concluded and remediation completed, we remain committed to improving our security through regular assessments and testing.

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Many Companies Not Disclosing Breach

According to Swan Bitcoin CEO Cory Klippsten reported that HubSpot had indicated "around 30 crypto companies [were affected by] the hack"[25]. The only companies which appear to have reported the breach so far are Swan Bitcoin, BlockFi, NYDIG, and Circle. (Pantera Capital suffered a separate HubSpot breach a year prior, and was not part of this incident.)

General Prevention Policies

Privacy-conscious customers can set up separate email addresses for each service easily, and avoid providing their phone number when possible. Any received emails must be viewed with scrutiny. Interact with companies only through their official websites and confirm anything with the company directly if it promises a significant reward or threatens access to your funds.

Platforms should put in place multi-signature access control on customer data, which requires the approval of multiple people to enable the mass download of data.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 About Circle - USDC, Payments & Treasury Infrastructure for Business Homepage (Jul 14, 2022)
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 Circle (company) - Wikipedia (Jun 27, 2023)
  3. 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 Circle - USDC, Payments & Treasury Infrastructure for Businesses Homepage (Jul 14, 2022)
  4. 4.0 4.1 4.2 4.3 4.4 4.5 4.6 HubSpot Homepage (Jun 27, 2023)
  5. 5.0 5.1 5.2 5.3 5.4 5.5 5.6 HubSpot - Wikipedia (Jun 27, 2023)
  6. 6.00 6.01 6.02 6.03 6.04 6.05 6.06 6.07 6.08 6.09 6.10 HubSpot Security Program - Hubspot Website (Jul 20, 2022)
  7. 7.0 7.1 7.2 HubSpot Homepage (Jun 27, 2023)
  8. 8.0 8.1 HubSpot Data Breach Ripples Through Crytocurrency Industry - Threatpost (Jun 20, 2022)
  9. NYDIG, BlockFi, Pantera, Circle All ‘Targeted’ in HubSpot Data Breach - Blockworks (Jul 20, 2022)
  10. 10.0 10.1 10.2 10.3 10.4 Information About HubSpot's March 18, 2022 Security Incident - Hubspot Website (Jun 26, 2022)
  11. HubSpot's Statement Regarding March 18, 2022 Security Incident - Hubspot Website (Jul 20, 2022)
  12. HubSpot's Statement Regarding March 18, 2022 Security Incident - Hubspot Website Archive March 20th, 2022 6:18:05 PM MDT (Apr 24, 2023)
  13. Information About HubSpot's March 18, 2022 Security Incident - Hubspot Website Archive March 20th, 2022 8:03:24 PM MDT (Apr 24, 2023)
  14. 14.0 14.1 Circle Reports Security Incident, Information Breach via HubSpot - CrowdFundInsider (Jul 20, 2022)
  15. Circle Reports Security Incident, Information Breach via HubSpot - CrowdFundInsider Archive March 21st, 2022 8:16:00 AM MDT (Apr 24, 2023)
  16. HubSpot Hack Leads to Data Breaches at BlockFi, Swan Bitcoin, NYDIG and Circle - CoinDesk (Apr 24, 2023)
  17. HubSpot Hack Leads to Data Breaches at BlockFi, Swan Bitcoin, NYDIG and Circle - Yahoo Finance (Jul 20, 2022)
  18. Cory Klippsten - "Hubspot says it's around 30 crypto companies in the hack.  Fewer than 10 have divulged so far." - Twitter (Jul 20, 2022)
  19. Circle Warns Its Users Of Potential Cyberattacks: Here's What To Expect - Benzinga (Jul 20, 2022)
  20. Circle Warns Its Users Of Potential Cyberattacks: Here's What To Expect - Benzinga Archive March 21st, 2022 1:18:34 PM MDT (Apr 24, 2023)
  21. NYDIG, BlockFi, Pantera, Circle All ‘Targeted’ in HubSpot Data Breach - Blockworks (Jul 20, 2022)
  22. HubSpot hack leads to multiple Web3 and crypto company data breaches - Silicon Republic (Jun 26, 2022)
  23. HubSpot hack leads to multiple Web3 and crypto company data breaches - Silicon Republic Archive March 22nd, 2022 4:07:55 AM MDT (Apr 24, 2023)
  24. HubSpot Data Breach Ripples Through Crytocurrency Industry - Threatpost (Jun 20, 2022)
  25. Cory Klippsten - "Hubspot says it's around 30 crypto companies in the hack.  Fewer than 10 have divulged so far." - Twitter (Jul 20, 2022)

Cite error: <ref> tag with name "siliconrepublic-8176" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "hubspot-8171" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "hubspot-8615" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "hubspotlegal-8616" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Circle_HubSpot_Data_Breach&oldid=4675"