Celsius depositors should be wary of phishing scams after the company revealed some of its customer data had been leaked in a third-party data breach.
On July 26, Celsius emailed its customers informing them that their email list had been leaked by an employee of a business data management and messaging vendor.
According to Celsius, the breach stemmed from an engineer at messaging platform Customer.io who leaked data to a malicious third party.
“We were recently notified by our vendor Customer.io that one of their employees accessed the Celsius client email address list,” Celsius said in an email to customers. The data breach was part of the same attack that leaked the email addresses of OpenSea subscribers in June.
Announcement from Celsius: “We are writing to let you know that we
recently notified by our vendorhttps://t.co/452EROQtbc that one of their employees
access the Celsius client email list
addresses stored on their platform and
transfer it to a third party.”
— Celsians (@CelsiansNetwork) 28 July 2022
However Celsius played down the incident by stating that it did not “pose a high risk to our clients,” adding that they just wanted users to “be aware.”
On July 7th, Customer.io wrote on a blog. posted that “We know this is the result of a deliberate action on the part of a senior engineer who has the appropriate level of access to perform their duties and provided this email address to a malicious actor.” The employee has been laid off.
The number of emails that were leaked was not disclosed, nor were the platforms on which they were leaked.
However, the crypto community has started warning Celsius users about phishing attacks that usually follow email data breaches.
Phishing is a form of social engineering in which targeted emails are sent to lure victims into revealing more personal data or clicking on links to malicious websites that install malware to steal or mine cryptocurrencies.
️ Celsius users should expect a phishing email along the lines of “Verify your wallet to withdraw your funds” that will phish your SRP/PKey because of this.
Remember, your SRP should only be known to you and you only https://t.co/QYuDhEE7aL
— harry.eth (whg.eth) (@sniko_) 28 July 2022
A similar data breach in April 2021 saw Celsius customers reportedly targeted by a fake website claiming to be Celsius’ official platform. Some received SMS and emails asking them to disclose personal information and initial phrases.
At the time, the company reported that hackers had gained access to a third-party email distribution system it used.
Related: Email server breach makes Celsians the target of phishing attacks
Perhaps the most infamous crypto data breach was that of hardware wallet provider Ledger, whose servers were hacked in 2020. Spitting out thousands of customers’ personal details on the internet resulted in untold losses and even physical threats to many victims, but the company has. refused to compensate them.