Celsius, the crypto lending platform that recently filed for chapter 11 bankruptcy proceedings, sent out an email yesterday stating that customer email addresses were leaked in a data breach related to customer.io.
The email states:
“We are writing to let you know that we were recently informed by our vendor Customer.io that one of their employees accessed a list of Celsius client email addresses held on their platform and transferred those to a third-party.”
Last month, Customer.io revealed that email addresses of millions of customers were leaked in an OpenSea related data breach. According to reports, an employee at the company accessed the data and intentionally transferred it to a third party.
At first it was reported that the breach was only linked to the NFT platform OpenSea. But in the weeks following the incident, more information surfaced that indicated the data breach was much more massive.
An official email sent out by the insolvent crypto lender Celsius yesterday reveals that its customer email addresses were part of the Customer.io breach as well. The email further states: “We do not consider the incident to present any high risks to our clients whose email addresses may have been affected but are releasing this communication to make sure you are aware.”
Celsius clients, which cannot withdraw any of their funds and may have lost a majority of their bitcoin and crypto held by Celsius, may be confronted with a wave of phishing emails.
Ironically, there might not be much to get from scammers since neither they nor Celsius customers can access their funds. However, the incidence shows that centralized bitcoin and crypto companies are frequently targeted and victims of data breaches.
In 2021, hardware wallet provider Ledger suffered a data breach, which resulted in a wave of phishing emails to trick customers to reveal their private keys. From a privacy perspective, it’s always best practice to use an email address that doesn’t contain your full name.
Instead of using an email address like firstname.lastname@gmail.com, use a privacy-preserving email format like fl@gmail.com. This won’t protect you from phishing emails, but as long as scammers don’t have any additional data you have better privacy if your email address ends up in the wrong hands.