Key Takeaways:



Celsius states an engineer at the Customer.io messaging platform leaked the data to a third-party actor.  Celsius notified its customers via email that a list of their email addresses had been exposed by a staff of one of its corporate data management and messaging partners.



Crypto lending service Celsius disclosed that some part of its customer data had been leaked in a third-party data breach. Reportedly, a Customer.io messaging platform engineer gained access to a list of Celsius client emails from an internal database and transferred it to a third-party bad actor. The number of emails leaked nor the kind of information leaked is yet to be disclosed.




Announcement from Celsius: “We are writing to let you know that we were recently informed by our vendor https://t.co/452EROQtbc that one of their employees accessed a list of Celsius client email addresses held on their platform and transferred those to a third-party.” — Celsians (@CelsiansNetwork) July 28, 2022




On July 7, Customer. io-whose employee was responsible for the present data breach, put out a blog post taking accountability for the leak.



“We know this was a result of the deliberate actions of a senior engineer who had an appropriate level of access to perform their duties and provided these email addresses to the bad actor.” The platform further added that they do not expect to learn any additional information since the incident resulted from the actions of a single employee who had legitimate access to these email addresses as part of the employee’s job. The messaging platform had further expelled the engineer.



It is worth noting that Customer.io was the same platform involved in the data breach on leading NFT marketplace OpenSea. Earlier this week, Celsius notified its customers via email that a list of their email addresses had been exposed by a staff of one of its corporate data management and messaging partners. In an attempt to calm customers, Celsius’s email reads, “ We do not consider the incident to present any high risks to our clients whose email addresses may have been affected but are releasing this communication to make sure you are aware”.



Email sent to customers on July 26


This is not, however, the first time Celsius has been subjected to email data breaches. Last year, the crypto lending service discovered a data breach in which hackers accessed a “third-party email distribution system” Celsius uses. As part of the 2021 hacking, some customers received SMS and emails prompting them to reveal personal information and seed phrases.



MetaMask security analyst “harry.eth” took to Twitter to warn Celsius users of potential phishing emails that could be sent to them due to the leak. He had warned Celius customers to be aware of shady emails that start with “verify your wallet to withdraw your funds.”




⚠️ Celsius users should expect phishing emails along the lines of "Verify your wallet to withdraw your funds" that will phish for your SRP/PKey due to this Remember, your SRP should only be known to you and you only https://t.co/QYuDhEE7aL — harry.eth