Embattled crypto lender Celsius Network has revealed via email that some of its customers’ data were breached by an employee of Customer.io.
Announcement from Celsius: “We are writing to let you know that we
were recently informed by our vendorhttps://t.co/452EROQtbc that one of their employees
accessed a list of Celsius client email
addresses held on their platform and
transferred those to a third-party.”
— Celsians (@CelsiansNetwork) July 28, 2022
Great news out of Celsius today: #Celsius distributed a report (which was late, as usual) regarding the data breach of clients’ emails on June 30 — which likewise involved four other companies, including @opensea. Not a surprise to see Celsius picking customer.i0 as a vendor. Lol pic.twitter.com/3JXszSYFAu
— ETH_guy (@jailwatchsc) July 28, 2022
According to Celsius, the firm has been discussing with Customer.io and confirmed that no other data was affected by the breach.
Celsius downplays the extent of the breach
The crypto lender has downplayed the extent of the breach as it said the leak had not impacted its systems and security.
Celsius said it only made its users aware of the breach and did not “consider the incident to present any high risks.”
We do not consider the incident to present any high risks to our clients whose email addresses may have been affected but are releasing this communication to make sure you are aware.
Celsius did not reveal the numbers of affected emails and users.
Celsius customers’ data had been previously leaked in April 2021. Then, the company claimed that hackers stole its customers’ data from a third-party email distribution system.
OpenSea recorded a breach too
OpenSea, the popular NFT marketplace, revealed that its email delivery partner leaked user data.
OpenSea revealed the email partner to be Customer.io.
The NFT marketplace warned users that the breach could increase “email phishing attempts.”
The firm advised users to “stay vigilant about (their) email practices,” adding that everyone who has shared their email with the site previously should assume they have been impacted.
Customer.io takes action
In a July 7 blog post, Customer.io said the senior engineer responsible for the leak had the appropriate level of access for their duties.
The firm clarified that only one employee was responsible for the breach. The said employee has been fired and reported to law enforcement agencies.
We launched a comprehensive security review of our access and security policies to prevent an insider threat from happening again and have already made some changes to the policies.