On August 7th, email addresses and personally identifiable information from customers at Swan Bitcoin and 44 other bitcoin and crypto companies were leaked in a data breach.
According to reports, an employee at the email marketing company Klaviyo fell victim of a phishing attack. The attacker gained access to the email marketing lists of Swan Bitcoin customers and those of 44 other companies.
In an email sent out by Cory Klippsten, the CEO of Swan Bitcoin mentions:
“On Sunday August 7th, Klaviyo, the company we use for email communication, informed us of a security incident that occurred on their systems. This incident is a result of one of their employees being phished, which led to the compromise of their internal systems and the download of Swan’s email list”.
According to Cory, more than just email addresses were affected. First names, as well as IP addresses and even certain deposit information could have been leaked.
The email states:
“The data involved included: first name (not last name), email, in some cases IP-based geolocation data identifying cities, and how you originally joined our email list.”
In a separate blog post, Klaviyo mentioned the data breach and reported:
“The threat actor used the internal customer support tools to search for primarily crypto related accounts and viewed list and segment information for 44 Klaviyo accounts. For 38 of these accounts, the threat actor downloaded list or segment information. The information downloaded contained names, email addresses, phone numbers, and some account specific custom profile properties for profiles in those lists or segments.”
This incident shows that centralized data hosts, such as KYC exchanges and email marketing tools often become “honeypots”, highly-valuable targets for hackers that use these emails and data for phishing attacks and other ways to obtain bitcoin and crypto through theft.
Using a pseudonymous email address, a VPN or TOR and providing as little data as possible can help reduce the amount of personally identifiable information attackers can gain through these kinds of data breaches.