In a latest cybersecurity incident, a data breach at robo-advisor Betterment has exposed the personal information of approximately 1.4 million customers. This information came to light through a recent update from the breach notification service Have I Been Pwned. The underlying cause of this breach seems to be a voice-phishing, or “vishing”, attack on IT support at a third-party vendor, assumed to be Salesforce. However, both Betterment and Salesforce have yet to confirm these speculations.
Betterment, an automated investing service, has not yet made any public comments confirming the data breach or the number of affected customers. The company first acknowledged the incident in January, but it did not disclose the total number of affected users. The compromised data primarily includes customer names and email addresses. A subset of users also had their physical addresses, phone numbers, and birth dates exposed, according to Betterment and Have I Been Pwned.
Understanding the Breach
The breach first came into public view on January 9 when Betterment customers received an email urging them to send bitcoin or ethereum deposits to certain addresses. The email promised a tripling of these deposits for the next three hours. Betterment quickly followed up with an email informing that the previous message was fraudulent, sent through unauthorized access to a third-party platform, and should be disregarded.
On January 12, Betterment informed its customers about a breach involving customer names, email addresses, physical addresses, phone numbers, and birth dates. The company assured that no customer accounts or passwords were compromised in the incident.
ShinyHunters Claims Responsibility
Two weeks after the fraudulent email incident, a threat group named ShinyHunters claimed responsibility for the attack. On its victim shaming and data leak site, ShinyHunters listed a Betterment database claiming to contain over 2 million records with personally identifiable information. The group has also claimed to have breached 20 million total records.
ShinyHunters has a history of targeting Salesforce instances to breach companies including Crunchbase and SoundCloud. Though Betterment has not affirmed Salesforce’s involvement in this data breach, it did mention the entry point as “third-party software platforms” used for marketing and operations.
Method of Attack
According to Google Threat Intelligence, ShinyHunters employs vishing campaigns to execute these breaches. In such attacks, operators pose as IT support personnel to trick employees into giving away credentials or multifactor authentication codes. Once they gain access, they often register a malicious connected app to exfiltrate customer data in bulk.
This method allows attackers to bypass traditional network defenses by taking advantage of the trust inherent in the identity fabric of the SaaS platform.
Salesforce’s Response
Salesforce has clarified that these incidents are not due to a vulnerability in its platform but are rather a result of social engineering tactics. The company has alerted its potentially affected customers and updated its guidance on defending against identity compromise and vishing.
To prevent similar future breaches, Salesforce has advised customers to enforce phishing-resistant multifactor authentication, such as FIDO2, especially for SaaS admin portals. It also flags large data downloads, bulk exports, and registration of new API tokens or connected apps as potential signs of such campaigns.
This incident serves as a reminder of the third-party risk facing financial institutions, especially as threat actors target the software-as-a-service ecosystems that banks use for customer relationship management and marketing. It also underscores the importance of minimizing the amount of sensitive customer data stored in marketing platforms to reduce the “blast radius” of such an attack.
For more details, read the full story Here.
