According to the Celsius community, the company has allegedly been contacting users to inform them of a data breach directly affecting them that could easily lead to phishing attempts.
One Disgruntled Employee, Two Mailing Lists
Announcement from Celsius: “We are writing to let you know that we
were recently informed by our vendorhttps://t.co/452EROQtbc that one of their employees
accessed a list of Celsius client email
addresses held on their platform and
transferred those to a third-party.”
— Celsians (@CelsiansNetwork) July 28, 2022
The breach was reportedly identified on the 30th of June, at the same time as the OpenSea client data leak. Back then, Celsius reached out to Customer.io – the company handling market communications for both OpenSea and Celsius – who stated that the crypto lender’s client data was unaffected.
However, on July 8, Customer.io representatives allegedly recanted their statement and informed Celsius that some of their client data actually had been breached. The employee has since been terminated, and Customer.io updated its statement on the incident, stating that the data of five other customers had also been stolen.
“After further investigating the compromised OpenSea email addresses incident, we have learned today that the email addresses from five other customers were also provided to the same external bad actor.”
It appears that Celsius may have been one of the five, as users took to Twitter to share screenshots of cautionary emails that they received.
— db (@tier10k) July 28, 2022
Phishing Attempts Expected
According to the screenshots shared by Celsius users, the only client data leaked to bad actors is a list of email addresses with no other personally identifying information (PII).
Celsius reportedly does not foresee any major threats to further client data security. However, the team has nevertheless warned users to be on their guard and to contact Celsius support if affected.
“We do not consider the incident to present any high risks to our clients whose email addresses may have been affected but are releasing this communication to make sure you are aware.”
Meanwhile, cybersecurity researchers have warned users that possible phishing emails will likely be in the form of a link to a fake verification process allowing users to withdraw funds. It is, however, rather ironic that even though this would be a nifty bit of social engineering – especially since Celsius withdrawals are still frozen – withdrawals from the platform are still, well, suspended. Therefore, it’s rather unclear how bad actors could drain an unsuspecting victim’s wallet anyhow.
Nevertheless, the incident is another important reminder to all to keep their private keys safe and offline and to avoid following links or QR codes whose origins cannot be ascertained.
As Celsius’ court case trundles on, this incident will likely be yet another worrying thought on the minds of the platform’s users.