Celsius Suffers Third-Party Data Breach, Customers Report Phishing Texts, Emails

The crypto lender's data leak comes almost a year to the date after a similar data leak hit BlockFi.

AccessTimeIconApr 15, 2021 at 4:31 p.m. UTC
Updated Sep 14, 2021 at 12:41 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

Crypto lending service Celsius has discovered a data breach with one of its third-party service providers has exposed the personal information of its customers, an email sent to Celsius customers and shared with CoinDesk confirms.

Hackers gained access to a “third-party email distribution system” Celsius uses, according to the email. The hackers have used this information to send fraudulent emails and text messages to Celsius to trick them into revealing the private keys to their funds.

“On April 14, 2021, Celsius customers began reporting a fraudulent website claiming to be an official Celsius platform. We also became aware of some Celsius customers receiving SMS and email messages, that claimed to be official Celsius communication, linking to that website, and prompting recipients to enter sensitive information,” the email reads.

“An unauthorized party managed to gain access to a back-up third-party email distribution system which had connections to a partial customer email list. Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers.”

A copy of one of the phishing text messages sent to Celsius clients.
A copy of one of the phishing text messages sent to Celsius clients.

The team is still investigating how the hackers gained access to the phone numbers of Celsius' clients, considering the breach occurred with an email management system.

Notably, Celsius clients report receiving phishing messages to phone numbers that they never provided to Celsius.

"The phishing scam’s goal was to get access to recipients’ external wallets, not Celsius wallets, by leveraging the trust that our community has in us. We know that customers who had not registered an email or phone number with Celsius also received fraudulent messages to these contact details, thus we believe the data was collected from external data sources," CEO Alex Mashinsky said in a statement.

Last spring, Celsius competitor BlockFi suffered a similar data breach, though by way of a hacker gaining access to an employee's company accounts through a sim swap. Hardware wallet producer Ledger has also suffered leaks of its customer data. Such leaks can put users' funds (not to mention their physical safety) at risk.

This is a developing story and will be updated.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.