A data breach at the fintech company Betterment has leaked the personal information of over 1.4 million user accounts following a social engineering attack.
The attack resulted in customers receiving fraudulent messages that attempted to enroll them in a crypto scam promising to triple returns if they sent funds to the threat actor’s account.
Betterment’s data breach affected a third-party marketing system
Betterment says the attack targeted a third-party marketing platform after tricking an employee into sharing their login credentials. However, the attack did not compromise Betterment’s infrastructure.
“This means the individual used identity impersonation and deception to gain access, rather than compromising our technical infrastructure,” the fintech company stated.
According to the data breach tracking website Have I Been Pwned (HIBP), the breach exposed victims’ phone numbers, dates of birth, physical addresses, geographic locations, job titles, and device information. Betterment also says the data breach leaked contact information and other customer details in some cases.
“Our analysis continues to indicate that the primary privacy impact involved certain customer contact information, including names and emails. In a subset of cases, contact information was coupled with other customer information, such as physical addresses, phone numbers, or birthdates,” noted HIBP.
In response, Betterment launched an investigation with cybersecurity firm CrowdStrike and determined that the attack did not grant the threat actor access to customer accounts or leak login information.
The fintech company also began working with a data analytics firm to determine the potential personal risk stemming from the data breach. Betterment is also strengthening its security systems to prevent a similar data breach in the future.
So far, the fintech company has not disclosed the number of victims, pending an ongoing investigation. While the leaked data varied by individual, HIBP found 1,435,174 unique email addresses, suggesting a similar number of victims.
Fintech company Betterment warns customers of social engineering attacks
Meanwhile, the attackers have attempted to lure a subset of victims into crypto scams promising triple returns within 3 days if they transfer their funds to a threat actor’s account.
In response, the fintech company has contacted a subset of customers and warned them about fraudulent crypto messages that appeared to originate from its systems. The fintech company also says it has terminated the threat actor’s access and confirmed that the security of customer accounts was unaffected.
It also warned impacted customers to be on the lookout for social engineering and phishing messages following the data breach. Similarly, customers should be aware that Betterment would never ask for login information via text or email.
Previously, the notorious hacking group ShinyHunters had listed Betterment, SoundCloud, and CrunchBase as victims of a vishing attack on the identity management platform Okta. The attack leveraged a custom phishing toolkit that could present contextual screens matching the user’s authentication flow to collect login credentials and MFA codes.
ShinyHunters claimed to have stolen 20 million records from Betterment, although the claim could not be independently confirmed.
On January 14, Betterment also said it had experienced a Distributed Denial of Service (DDoS) attack that shut down its website and mobile apps, but did not affect customer accounts.
“The recent attacks on Betterment underscore how quickly today’s threat actors can exploit even the smallest missteps,” said Piyush Sharma, co-founder and CEO of Tuskira. “In less than a week, Betterment was targeted by the ShinyHunters’ social engineering campaign and hit by a separate DDoS attack, an unsettling one-two punch for any financial services firm. While Betterment acted swiftly with forensic investigations and response, this case illustrates a broader truth, reactive cybersecurity is no longer enough to protect high-value data.”
