Swan Bitcoin, a Bitcoin-specific savings firm, revealed that it has been affected by a recent data breach of its newsletter provider Klaviyo.
Per an email seen by Decrypt and shared by the firm on Twitter, Klaviyo informed Swan Bitcoin of a security incident on August 7.
Swan Bitcoin said that “this incident is a result of one of their employees being phished, which led to the compromise of their internal systems and the download of Swan’s email list.”
“We are informing you of this incident because you are a subscriber to our email list and your email was leaked as a result of Klayivo’s security incident,” added the email.
On August 7th, Klaviyo, a company we use for email communication, informed us of a security incident that occurred on their systems.
A Klaviyo employee was phished, and 44 companies in the Bitcoin and crypto industries, including Swan, were affected.
Read Cory’s email below. pic.twitter.com/JsXaSGryMB
— Swan.com (@SwanBitcoin) August 10, 2022
The crypto firm added that the leaked data included customers’ first names (no last names), email addresses, IP-based geolocation data identifying cities (in some cases), as well as information on how users originally joined the company’s email list.
Swan Bitcoin also confirmed that approximately 0.3% of the leaked dataset included an outdated snapshot of historical USD deposit information covering the period before March 2022. This likely means that only information about transfers between accounts was revealed in this 0.3%.
The Los Angeles-based firm said that it has no evidence that customer information is being targeted, or misused. It, however, warned of potential phishing attempts to obtain further information from affected customers.
“Assume all emails, texts, and phone calls asking you for sensitive information are not genuine,” reads the email.
Klaviyo reported the incident in a separate blog post, saying that the breach occurred in a phishing attack on August 3. Hackers reportedly managed to steal one of its employee's login credentials.
These login credentials were then used to access the employee's account and internal Klaviyo support tools.
Klaviyo added that it immediately revoked access for the compromised user and removed the threat actor from its systems. The company also notified law enforcement and engaged with an unnamed leading cybersecurity firm to investigate the breach.
Importantly, Klaviyo reported that the attack was mainly targeting crypto businesses that chose the platform for their marketing activities.
“The threat actor used the internal customer support tools to search for primarily crypto-related accounts and viewed list and segment information for 44 Klaviyo accounts. For 38 of these accounts, the threat actor downloaded list or segment information,” said Klaviyo in its blog post.
According to the company, hackers obtained customers’ names, email addresses, phone numbers, as well as “some account specific custom profile properties.” Klaviyo said it had notified owners of all those accounts with the details of which profiles and profile fields were accessed or downloaded.
Founded in 2012 and based in Boston, MA, Klaviyo raised a $320 million Series D funding round in May 2021, which saw the firm’s valuation increase to over $9 billion. Klaviyo said it served more than 70,000 paying customers at the time.
Decrypt reached out to Klaviyo for more detail on the incident and will update the article accordingly should we hear back.
The data leak at Klaviyo also comes hot on the heels of reports that another popular email marketing platform Mailchimp has been suspending the accounts of crypto-related content creators and media outlets.
The affected businesses include the likes of self-custody crypto wallet Edge, crypto intelligence firm Messari, and Decrypt, as the developments once again highlighted the yet-to-be-resolved reliance of Web3 companies on legacy Web2 solutions.