We are letting our clients and community know about a security incident that occurred at one of the vendors we previously used for email marketing, resulting in the compromise of Unchained Capital client and marketing data detailed below. Importantly, there is no impact whatsoever to Unchained Capital’s systems, nor were client assets secured through our platform ever at risk.
ActiveCampaign (“AC”), a third-party email marketing provider that Unchained Capital used until early in 2022, was the subject of a social engineering attack last week. This attack occurred after Unchained Capital had closed its AC account and requested that all data be purged. While the attack occurred on a third party, it has impacted our clients and it was ultimately the result of our decision to work with this vendor. Regardless of any failures by third parties, we are accountable to our clients in all cases. In this instance, we have let them down and it is necessary that we share details of the security incident which occurred on Thursday, March 10th.
What information was NOT compromised
The social engineering attack took place on the AC platform, and involved AC personnel, procedures, systems and applications. None of Unchained Capital’s systems, applications, employees, or accounts (admin or client) were compromised. Because none of Unchained Capital’s systems were compromised, the following information was NOT subject to the compromise: client profile information containing personally identifiable information (e.g. addresses, SSN, DOB, IDs, phone numbers used in our KYC process), bank account numbers, passwords, bitcoin addresses, bitcoin balances, loan balances, trading activity, vault statements, loan statements.
None of this information was provided to ActiveCampaign and was therefore never subject to compromise through the attack on AC. Given our bitcoin custody is built on multisig and cold storage, through which clients hold their own keys, no funds were ever at risk but it is critical that clients be diligent and on high alert for reasons described below.
What information was compromised
Unchained Capital used AC until February 2022 to support our marketing and sales functions. As a result, limited data was shared with AC depending on the nature of services clients or prospective clients were interested in or used. Elements of this data were compromised and exported by an unauthorized user as described below.
For clients, this data included: email addresses, usernames, account status (active/inactive) and whether the client had an active vault or loan with Unchained Capital (yes or no).
For individuals that purchased a service directly through our website, such as Concierge Onboarding, scheduled a consultation, or signed up on our website for updates and our newsletter, this data included: their name, email address, and IP address (but no shipping addresses were ever stored in AC).
What steps clients should consider taking
It is always important that our clients be diligent about confirming all communications and any requests that appear to come from Unchained Capital. Given the data leak, clients should be on high alert for any spear phishing attempts. Be especially careful about clicking on any links—always ensure that they are HTTPS links to unchained.com. If any email or communication looks suspicious, please contact us at firstname.lastname@example.org or call us at 1-844-486-2424 to confirm its authenticity. Please be diligent, and where there is any doubt, it is best to always err on the side of caution and reach out to us for confirmation. Specifically, if clients receive suspicious emails requesting to change passwords, perform any actions to sign transactions or replace any keys that secure your bitcoin, please do not take any such actions and reach out to us immediately. Our client services team and executives are on standby to take calls and answer all questions clients have. We will also be hosting a continuing education webinar on spear phishing and general best practices to avoid any associated risks.
Details of security incident
The attack was conducted through a live chat tool on AC’s public website, which did not require any user authentication, on Thursday March 10th between approximately 8-9am CST.
An attacker impersonating an Unchained Capital employee socially engineered an AC support chat representative to reactivate Unchained Capital’s account which had been closed on February 17th, 2022. Subsequently, the attacker(s) then socially engineered a second AC support chat representative to add an administrative user using a username and password provided by the attacker. The attacker then gained unauthorized access to the reopened Unchained Capital account without needing a valid email and was able to export data from our previously closed AC account.
Though we had requested this data be deleted, it was not. Unfortunately, we only learned that AC had not deleted this data after discovering the social engineering attack. Within 20 minutes of the attack, an Unchained Capital administrator received emails with the fraudulent chat transcripts and took immediate measures to restrict further access. After the attack was identified, Unchained Capital worked to gather these relevant facts. Ultimately, on Tuesday, March 15th, AC confirmed unauthorized access did occur and that the attacker was able to export the data described above.
Duty to our clients
Regardless of any actions or failures by third parties, our commitments are to our clients, prospective clients, and partners that put their trust in Unchained Capital and to each of them, we take responsibility. Furthermore, we have an obligation—not an option—to make this disclosure to help ensure the security of our clients regardless of the negative impact it may have on our business.
While we minimize the need for trust in the ultimate security of client funds through our approach to custody, our clients still put an immense amount of trust in us to protect their privacy and to ensure these incidents do not occur. As bitcoiners and clients of Unchained Capital ourselves, we have taken on these responsibilities with a clear understanding of the weight of our obligations. While we carry the gravity of this disclosure and security incident with us, we will learn from mistakes and strive to do better.
Working to do better
We go to great lengths to secure client data through our internal infrastructure, proprietary applications, and the third parties we rely upon to run our business. We utilize encryption, access control, user management, and are extremely conservative about what information we share with third parties, far more conservative than the standard in our industry. We perform due diligence before engaging any new vendor to process data for us, including a review of any independent security audits (such as SOC II reports), and hold our vendors to a high standard.
Our high standards for client privacy ensured that we limited the amount of data we shared with ActiveCampaign. But with these same high standards, any exposure of client data is unacceptable to us. We have ensured that this social engineering attack vector is not possible with our current email marketing provider and over the coming weeks, we will be carefully reviewing all security measures and processes including vendor risk management.
We are deeply sorry this incident occurred as we take our client’s privacy very seriously. Our mission is to grow bitcoin adoption and to empower our clients to hold their own private keys, eliminating us or any financial institution as a single point of failure. We want to reinforce the fact that, due to our collaborative custody model, no such incidents could ever put any client funds at risk.
If you are a client and have any questions, please email us email@example.com or call us at 844-486-2424.
CEO and Co-Founder