Hackers stole email addresses and other personal information from 1.4 million accounts after breaching the systems of automated investment platform Betterment in January.
Betterment provides a mix of automated investment tools and financial advisory services and is considered a pioneer in the U.S. "robo-advisory" sector. In total, the fintech firm manages $65 billion in assets for more than one million customers.
While Betterment has not disclosed the total number of affected individuals, data breach notification service Have I Been Pwned analyzed the stolen data and said the breach exposed 1,435,174 accounts, including email addresses, names, and geographic location data.
The compromised information also includes dates of birth, physical addresses, phone numbers, device information, employers' geographic locations, and job titles.
Betterment disclosed on January 10 that the threat actors also sent fraudulent emails disguised as a company promotion after gaining access to some of its systems in a social engineering attack, attempting to lure targeted customers into a reward scam that claimed to triple the amount of cryptocurrency sent to attacker-controlled Bitcoin and Ethereum wallets.
"This is not a real offer and should be disregarded. If you clicked on the offer notification, it did not compromise the security of your Betterment account," Betterment warned. "The unauthorized access has been removed, and at this time we have no indication that the unauthorized individual had any access to Betterment customer accounts."
Fake Betterment holiday promotion (Evan Sparks)
After BleepingComputer reported on January 13 that Betterment was under a distributed denial-of-service (DDoS) attack and was being extorted, the company confirmed that intermittent website and mobile app outages were due to a DDoS attack, but has yet to share any information on the extortion attempt.
Earlier this week, Betterment issued another statement saying that a follow-up forensic investigation, conducted in collaboration with the cybersecurity firm CrowdStrike, found that no customer accounts were compromised in the breach.
"Our forensic investigation, supported by the cybersecurity firm, CrowdStrike, has confirmed that no customer accounts, passwords, or login information were compromised as part of the January 9 incident," the company said.
... continue reading