Celsius, a crypto lending service, recently learned of a security break at one of their third-party service providers, leading to a data breach at their own company. All of its customers faced serious complications as they had their entire personal data exposed. Hackers infiltrated through Celsius’s third-party email distribution system, and thus were able to successfully pull off the Celsius data breach.
Perils of the Celsius Data Breach
The stolen data was later grossly misused. The hackers used the sensitive information to send phishing emails and text messages to Celsius customers, aiming to trick them into giving up the private keys to their monetary funds.
The phishing attack was brought to light when Celsius customers began complaining of a spoofed website disguised as Celsius, around 14th April 2021. By now, Celsius customers had also received SMS on their phones along with emails, posing as Celsius. All fraudulent communication from the hackers was concluded by a link to the spoofed website, where a contact form snatched sensitive information of the users who fell for the trick.
“An unauthorized party managed to gain access to a back-up third-party email distribution system which had connections to a partial customer email list,” an official email from Celsius to a reporting site said. “Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers.”
A copy of one of the phishing text messages sent to Celsius clients:
Similar messages were sent through phishing emails.
Investigation teams are actively looking into the matter, trying to find out how the hackers gained access to the phone numbers and email IDs of Celsius’ clients, especially as the data breach occurred within a contained email distribution system environment.
Curiously enough, the complaints are saying the phishing SMS alerts are all being delivered to phone numbers that the clients never provided to Celsius, suggesting a deeper breach of all the customers, putting every entity connected through their email at risk. This includes banking, logins, and other accounts.
“The phishing scam’s goal was to get access to recipients’ external wallets, not Celsius wallets, by leveraging the trust that our community has in us. We know that customers who had not registered an email or phone number with Celsius also received fraudulent messages to these contact details, thus we believe the data was collected from external data sources,” CEO Alex Mashinsky said in a statement.
The mantra for total online security: email, email, email!
We cannot stress enough how critical email security has become. This Celsius data breach was unique in how the hackers didn’t use phishing at the primary stage but rather went straight for a data breach of a third-party vendor. Phishing and smishing (SMS phishing) was later used to trick the customers of the victim, who in turn became the final victims. This goes to show how meticulous hackers are in their preparation, and how they can layer their attacks to get what they want.
Work from home has increased our reliance on email, making email security triply more important. It all begins with awareness, and then ends in execution. Choose your email vendors with extra caution. Also have additional layers of security, despite the security mechanisms your vendor already has in place. However, once you start doing this, you’ll realise you need parallel vendors for everything: one for the actual service, and one for security.
Instead, why not go for a bundled security service provider? Our email solution is protected by an extra barrier of security, through our Cloud Email ATP solution, which can detect and prevent phishing along with other modern email threats. Be it Zimbra, O365 or any other email service, Logix email ATP solutions are always secure.