Celsius Suffers Third-Party Data Breach, Customers Report Phishing Texts, Emails

The crypto lender's data leak comes almost a year to the date after a similar data leak hit BlockFi.

Apr 15, 2021 at 4:31 p.m. UTC
Updated Sep 14, 2021 at 12:41 p.m. UTC

Crypto lending service Celsius has discovered a data breach with one of its third-party service providers has exposed the personal information of its customers, an email sent to Celsius customers and shared with CoinDesk confirms.

Hackers gained access to a “third-party email distribution system” Celsius uses, according to the email. The hackers have used this information to send fraudulent emails and text messages to Celsius to trick them into revealing the private keys to their funds.

“On April 14, 2021, Celsius customers began reporting a fraudulent website claiming to be an official Celsius platform. We also became aware of some Celsius customers receiving SMS and email messages, that claimed to be official Celsius communication, linking to that website, and prompting recipients to enter sensitive information,” the email reads.

“An unauthorized party managed to gain access to a back-up third-party email distribution system which had connections to a partial customer email list. Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers.”

A copy of one of the phishing text messages sent to Celsius clients.

The team is still investigating how the hackers gained access to the phone numbers of Celsius' clients, considering the breach occurred with an email management system.

Notably, Celsius clients report receiving phishing messages to phone numbers that they never provided to Celsius.

"The phishing scam’s goal was to get access to recipients’ external wallets, not Celsius wallets, by leveraging the trust that our community has in us. We know that customers who had not registered an email or phone number with Celsius also received fraudulent messages to these contact details, thus we believe the data was collected from external data sources," CEO Alex Mashinsky said in a statement.

Last spring, Celsius competitor BlockFi suffered a similar data breach, though by way of a hacker gaining access to an employee's company accounts through a sim swap. Hardware wallet producer Ledger has also suffered leaks of its customer data. Such leaks can put users' funds (not to mention their physical safety) at risk.

This is a developing story and will be updated.

DISCLOSURE

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.