NYDIG HubSpot Data Breach
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
NYDIG is an institution-grade bitcoin company offering multiple bitcoin-integrated products. They were reportedly among those companies affected by the Hubspot data breach. A third party tweet shows an email they have sent to athose affected. They they have not publicly confirmed the breach or made any further statements. There have been no specific reports I could locate of NYDIG clients being targeted subsequently.
This exchange or platform is based in United States, or the incident targeted people primarily in United States.[1][2][3][4][5][6][7][8][9][10][11][12][13]
About NYDIG
"NYDIG is a bitcoin company that’s fusing high tech with institutional-grade finance to usher in a new era of financial products. We make it easy for partners to white label our solutions and create their own products like bitcoin accounts, rewards, and loyalty programs."
"We’re building an inclusive financial system that makes Bitcoin a universal option for billions of people worldwide. Bitcoin is a resource for human progress, and NYDIG is the gateway."
"NYDIG is a subsidiary of Stone Ridge, a holding company that has led the creation of forward-thinking firms across the worlds of technology and finance, including a $13B+ alternatives asset manager." "NYDIG was founded in 2017 by Ross Stevens and Robert Gutmann as New York Digital Investment Group, a subsidiary of Stone Ridge Holdings Group, based in New York.[1] In 2017, the company received a US$50 million Series A investment led by Bessemer Venture Partners. In October 2020, the company received a US$50 million growth equity round of funding, led by FinTech Collective, with Bessemer Venture Partners and Ribbit Capital participating."
"The breach has rippled through the crypto industry: As of Monday, crypto lending platform BlockFi, bitcoin-purchasing automation platform Swan Bitcoin, bitcoin company NYDIG, peer-to-peer payments technology company Circle and cryptocurrency fund Pantera Capital (which was hit a month prior) had been affected."
"Most individuals don’t understand the power of a CRM. At minimum, these tools allow companies to acquire, sort and manage incoming customers (and their data) in a way that provides the best user experience. At maximum, these tools are capable of an extreme degree of web monitoring and AI-based user segmentation and prediction."
"Multiple Web3 and crypto companies have been affected by a data breach at HubSpot, a marketing and sales platform that stores customer information."
"On March 15, a bad actor conducted a social engineering attack against a HubSpot employee that captured the employee’s credentials and persuaded the employee to provide the necessary multi-factor authentication. Between March 15 and March 17, the bad actor conducted reconnaissance within HubSpot’s internal systems. On March 17 and March 18, the bad actor exported contact data and user data from certain HubSpot customer accounts via an internal support tool called just-in-time-access (or JITA)."
"On Friday, March 18, 2022, NYDIG was made aware of a security incident at one of our vendors. Hubspot, which assists us with email communications and marketing." "Hubspot informed us that a bad actor compromised a Hubspot employee's account and may have gained access to contact information that NYDIG stores with Hubspot, which is limited to: Names, Email addresses, Phone numbers."
"HubSpot said on Saturday (19 March) that it became aware of a compromised employee account the previous day. The company believes data was exported from around 30 of its clients, “all of whom have been notified”."
"The breach has rippled through the crypto industry: As of Monday, crypto lending platform BlockFi, bitcoin-purchasing automation platform Swan Bitcoin, bitcoin company NYDIG, peer-to-peer payments technology company Circle and cryptocurrency fund Pantera Capital (which was hit a month prior) had been affected."
"Adam Healy, chief security officer at BlockFi, said that vendors like HubSpot who are “trusted with client information” are “subjected to a number of reviews.”"
"“However, even in those cases, vendors can make mistakes and as evidenced by Friday’s events have incidents that impact us and our clients,” Healy said in a statement sent to Blockworks."
"The investigation of the bad actor’s activity confirmed that this was a targeted attack focused on customers in the cryptocurrency industry. There was no evidence of suspicious activity within targeted customer accounts after March 18, 2022."
"While it is unclear what the attacker planned to do with this information, Coindesk reported that some users saw an uptick in phishing emails over the weekend, attempting to lure them into putting their passwords into a fake company website."
"To protect yourself, it is important that you exercise extra vigilance and care when reviewing or responding to emails, text messages, and phone calls, particularly those related to NYDIG. NYDIG will never send you an unprompted email to ask for your NYDIG account information, password, or Two-Factor Authentication (2FA) code. NYDIG will never send you an unprompted email providing a public key or wallet address for you to send Bitcoin or other digital assets, and will never request via email that you share any private key."
"[The] rogue employee working at HubSpot – used by more than 135,000 (and growing) customers to manage marketing campaigns and on-board new users – has been fired over a breach that zeroed in on the company’s cryptocurrency customers, the company confirmed on Friday."
"A full list of the affected clients has not been published, but [HubSpot] said it appeared to be a “targeted incident focused on customers in the cryptocurrency industry”."
"Since the incident, we have taken steps to enhance our security and to prevent a similar attack from occurring in the future. While our investigation has concluded and remediation completed, we remain committed to improving our security through regular assessments and testing."
"Hubspot says it's around 30 crypto companies in the hack. Fewer than 10 have divulged so far."
This exchange or platform is based in United States, or the incident targeted people primarily in United States.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| March 18th, 2022 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Privacy-conscious customers can set up separate email addresses for each service easily, and avoid providing their phone number when possible. Any received emails must be viewed with scrutiny. Interact with companies only through their official websites and confirm anything with the company directly if it promises a significant reward or threatens access to your funds.
Platforms should put in place multi-signature access control on customer data, which requires the approval of multiple people to enable the mass download of data.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ HubSpot Data Breach Ripples Through Crytocurrency Industry | Threatpost (Jun 20, 2022)
- ↑ NYDIG - Bitcoin for All (Jul 14, 2022)
- ↑ About | NYDIG - Bitcoin for All (Jul 14, 2022)
- ↑ NYDIG - EverybodyWiki Bios & Wiki (Jul 14, 2022)
- ↑ HubSpot hack leads to multiple Web3 and crypto company data breaches (Jun 26, 2022)
- ↑ Information About HubSpot's March 18, 2022 Security Incident (Jun 26, 2022)
- ↑ HubSpot's Statement Regarding March 18, 2022 Security Incident (Jul 20, 2022)
- ↑ HubSpot Security Program (Jul 20, 2022)
- ↑ @nobsbitcoin Twitter (Jul 20, 2022)
- ↑ @coryklippsten Twitter (Jul 20, 2022)
- ↑ https://pbs.twimg.com/media/FOUqi9sVIAAXSQJ?format=jpg&name=large (Jul 20, 2022)
- ↑ NYDIG - Bitcoin for All (Jul 20, 2022)
- ↑ NYDIG, BlockFi, Pantera, Circle All ‘Targeted’ in HubSpot Data Breach (Jul 20, 2022)