In July 2022, we were affected by a data breach at ActiveCampaign, a hosted service we used for marketing emails. The data revealed contained email addresses - mostly newsletter subscribers, a few business contacts and transactional data - which could be used to send spam or phishing emails. We immediately informed all affected users and documented the breach and the ongoing investigation in a dedicated blog post. This transparency ties in with our efforts to protect our customers’ personal data.

This post shares what we learned and how we plan to move on. It highlights why we use an external partner in the first place and what we will do better going forward.

Emails for education and updates

We refer to “marketing emails” as continuous communication with people interested in our BitBox products. These emails are opt-in and come in different forms:

  • Education: Bitcoin and hardware wallet basics, setup and usage tutorials
  • Updates: notifications about product news, offers, and software updates
  • Security: in case of security-critical incidents, we can inform subscribers to our newsletter

We believe that education is an essential part of security. These (optional) emails help many users understand Bitcoin and self-custody better, allowing them to hold their funds safely.

Going forward, we will continue to offer opt-in emails that provide value to our users.

Specialized providers for bulk emails

We host sensitive services ourselves when that’s feasible. We don’t use external cloud applications to run our webshop or customer support.

Our own services also send out emails themselves without using an external email service. Even for them, reliably sending emails is challenging. We sometimes get feedback that customers don’t receive an order confirmation or support replies. When we look into the issue, the most frequent cause is that some internet service providers blocked our email servers. Sometimes we can get ourselves unblocked, but it’s a constant uphill struggle.

Because sending out emails to many recipients reliably and efficiently requires a lot of expertise and dedicated technology, this is something we cannot do internally.

Going forward:

  • We will be more explicit during opt-in signup about what data we share with what external service for what purpose.
  • We will further limit the data submitted to include only the email address, not sharing any names, alias, or other personal information.
  • We will no longer send purchase reminders from the shop using an external service. For now, this means that we can’t send reminder emails to shop customers, e.g., that we did not receive a bank payment within a week. As these are helpful to customers, we will program this functionality directly into our self-hosted shop.

A new provider for our marketing emails

While it’s still unclear how the ActiveCampaign data breach happened exactly, we decided not to continue with them mainly due to their lack of transparency and responsiveness dealing with the data breach.

We evaluated many email service providers in the last weeks, including Mailchimp, Hubspot, Zoho Campaigns, Sendinblue, Mailjet, and many others. In detail, we vetted their security features, data protection guidelines, and support responsiveness.

Going forward, we decided to use Sendinblue. Some of the reasons why we think they are the best fit for us:

  • A comprehensive set of well-documented security measures
  • Assurances and dedicated processes implemented against social engineering attacks
  • Data is hosted within the European Union, following the comprehensive German legal data protection regulations
  • IP addresses of recipients are only used internally and are not downloadable or available to us or anyone else in other ways
  • Responsive support, providing complete answers even to critical and technical questions

We take the protection of our users’ personal data seriously:

  • We overhauled our Privacy Policy to make sure it’s accurate, complete and easy to understand
  • Our email communication was always compliant with GDPR (General Data Protection Regulation) and other established best practices
  • Every mail contains a simple unsubscribe link
  • We will also continue to delete (not archive) inactive contacts that unsubscribed

The goal is to be as transparent as possible and give our users the explicit choice of whether they want to opt-in to our email communications.

Going forward

We are aware that nothing is guaranteed to be 100% secure, and this is why we will combine:

  • the email service with the best security according to our assessment,
  • working with the least amount of data necessary,
  • providing full transparency about what data is shared with whom for what purpose.

Again, we sincerely apologize to our users and subscribers for the incident. The data we shared with ActiveCampaign were purposely limited to a minimum amount. Nevertheless, we are aware that your data being breached in any form is never acceptable and certainly doesn’t hold up to our standards and values.

We take your privacy seriously, and this incident pushed us to improve. We feel that, with the additional measures explained above, we can find a good balance of practical education and communication with our users through email while keeping their personal information safe.

Shift Crypto is a privately-held company based in Zurich, Switzerland. Our team of Bitcoin contributors, crypto experts, and security engineers builds products that enable customers to enjoy a stress-free journey from novice to mastery level of cryptocurrency management. The BitBox02, our second generation hardware wallet, lets users store, protect, and transact Bitcoin and other cryptocurrencies with ease - along with its software companion, the BitBoxApp.