Data breach of marketing platform ActiveCampaign

Du kannst auch die deuschsprachige Version dieses Artikels lesen.

Last update: August 18, 2022

Please make sure to also read our follow-up post Improving email data protection, where we share our lessons learned and what we will do differently moving forward.

We are investigating a data breach of ActiveCampaign, a hosted service we have been using for marketing emails. Today we sent out a single email to all email addresses involved to notify them.

Please note that your Bitcoin and crypto funds are safe. This incident has nothing to do with the BitBox02 and the BitBoxApp. There is no need for you to take any action except to be aware of suspicious emails. Please read below for additional details.

Never share any information like your wallet backup or recovery words with anyone. If in doubt, please contact our [email protected].

What happened?

A few days ago, we discovered that our ActiveCampaign account was suspended and immediately contacted their support to understand why. Their security team informed us that an unauthorized party downloaded email lists, even though we are using their additional comprehensive security measures, including mandatory 2FA account access. Despite pushing for details, ActiveCampaign has not provided answers to fundamental questions yet.

We expect attempts to contact our newsletter subscribers will occur. Today, we received reports of phishing emails that are likely connected to this ActiveCampaign data breach. We want to be transparent about the situation and highlight basic security precautions.

We will update this blog post as we learn more about this incident.

What was NOT compromised

This data breach contains minimal contact information, which means that the following is not part of this breach:

• This incident has nothing to do with the BitBox02 and the BitBoxApp. Your funds on the BitBox02 are safe. You hold your keys, and you alone control your coins.
• The personal information needed to ship your order was not stored in ActiveCampaign.

An incident like this is why we host the BitBox shop ourselves and anonymize personal information after 30 days.

What information was compromised

This data breach contains minimal contact information of active contacts that signed up to our mailing list or placed an order within the last 30 days:

• Name or alias
• Email address
• IP address of your computer (e.g., 36.172.17.116)

In order to send follow-up emails to customers, ActiveCampaign temporarily stores transactional data, for example the language selection in the shop, the order number, and the order status (e.g., “fulfilled”), which were also included in the breach. Such transactional data is deleted from ActiveCampaign within 30 days.

For a small number of manually added business partners, like resellers, some additional contact information was stored on ActiveCampaign.

What should I do to stay safe?

In practical terms, you don’t need to do anything. Your BitBox02 is safe, and there’s no action required. We are reaching out to our users and subscribers only to make you aware of the situation. Scammers who might get hold of your email address may try to trick you into sharing sensitive data via phishing attacks.

We always stress how important it is to be wary of any messages you receive, whether by email or social media. As usual, avoid clicking on any suspicious links, and NEVER EVER share your recovery words with anyone, or enter them into any device other than the BitBox02. The same is true for your wallet backup on the microSD card: never plug it into any device that is not the BitBox02.

The data from our email list might be used for phishing in the future. Someone pretending to be us or a trusted party might ask you to do something harmful.

• Never share your recovery words or your wallet backup file with anyone.
  An attacker might ask you for your recovery words to “reactivate” or “unlock” your BitBox, or "verify that your funds are safe" in order to steal your coins. In general, never enter your recovery words on anything else than the BitBox02.
• Never plug in your microSD card into anything else than the BitBox02.
  An attacker or a software might ask you to plug in your microSD card backup to check if your funds are “safe” in order to steal your coins.
• Don’t share personal information.
  Someone pretending to be “support” might ask you to give out personal information to “validate” something.
• Don’t transfer crypto or make a bank transfer just because someone asks.
  A scammer might ask you to transfer money under false pretences, e.g. with a promise to get more money in the future.
• Don’t update the BitBoxApp just now.
  An attacker might pretend that you need to update the BitBoxApp for “security reasons”, and provide a malicious link to a fake version. The latest BitBoxApp is version 4.34.0 released on June 20th, and there’s no new release available right now

We will never ask you for personal information, details about your funds, wallet backup, or recovery words. In case you see something like this: do nothing and report it as “spam” or “phishing” to your email provider. In case of specific questions, reach out to our support team at [email protected].

What’s next

We sent out a single email to all email addresses involved in the ActiveCampaign breach to notify them and warn them about possible phishing attempts.

We will not send any more marketing emails, like our regular BitBox News, or special email series, until we consider the incident with ActiveCampaign resolved.

We will keep updating users about the situation through the following channels:

• Our blog
• Our BitBox Telegram channel
• Our Twitter account @ShiftCryptoHQ

As a Swiss company, privacy is one of our core values. We take great care only to collect the data we need and be transparent about it. Whenever feasible, we host services ourselves, and we get rid of sensitive data or anonymize it as soon as possible.

We sincerely apologize to our users and subscribers. The data we shared with ActiveCampaign were purposely limited to a minimum amount. Nevertheless, we are aware that your data being breached is never acceptable and certainly doesn’t hold up to our standards and values.

We take your privacy seriously, and this incident will only push us to improve and to select partners that work with security and privacy as a priority, as well as regularly review our internal processes.

Please don’t hesitate to contact us at [email protected] with any questions you might have.

Frequently Asked Questions

This section was added on July 26th and updated on August 18th to address recurring questions we got through our support and on social media.

Why do you send out marketing emails?

What we refer to as “marketing emails” is continuous communication with people interested in our BitBox products. These emails are opt-in and come in different forms:

• Education: Bitcoin and hardware wallet basics, setup and usage tutorials
• Updates: notifications about product news, offers, and software updates
• Security: in case of security-critical incidents, we inform existing users

We believe that education is an essential part of security. These (optional) emails help many users understand Bitcoin and self-custody better, allowing them to hold their funds safely.

Why do you use an external service to send these emails?

We do host sensitive services ourselves when that’s feasible. This is why we don’t use external services to host our webshop or customer support. They send and receive emails through external email servers, but incoming emails are deleted as soon as they are fetched by the support system, and persistent storage is fully disabled for all outgoing emails.

But even for these services, sending emails reliably is a challenge. We sometimes get feedback that customers don’t receive an order confirmation or support replies. When we look into it, it’s mostly because some internet service providers (ISP) blacklisted our email server. There’s no way to prevent that because we can’t detect that on our own, and there’s limited recourse.

The following quote from an online article mirrors our experience:

If you try to send bulk email from your own email client, the activity is likely to be flagged as suspicious and you will be marked as a spammer. Once you are identified as a spammer, all emails coming from your company’s web domain can be blacklisted and blocked by major internet service providers (ISPs). This means your company’s emails – even the individual messages you send to communicate with clients – can be blocked.

Sending out emails to a lot of recipients in a reliable and efficient way requires a lot of expertise and dedicated technology. We simply cannot do it internally.

What’s the current status of the ActiveCampaign data breach?

ActiveCampaign has engaged a cybersecurity firm to investigate the incident and has notified law enforcement. However, we are still waiting for ActiveCampaign's security team to answer basic questions.

We monitor the situation closely and will continue providing updates if needed. We've requested ActiveCampaign to suspend any automated email activity, including scheduled email series, like the BitBox introduction tutorial.

Will you send out newsletters again?

Yes! We believe that email is a great medium for education, which in our view is an essential part of security. These (optional) emails help many users understand Bitcoin and self-custody better, allowing them to hold their funds safely.

We revisited our email strategy and sent out our first newsletter following our updated guidelines today, August 18, 2022. We documented in a follow-up blog post what we will do differently moving forward:

Improving email data protection

After the ActiveCampaign data leak, we revisited our email strategy. In this post, we share what we will do differently moving forward.

BitBox BlogShift Crypto