The crypto lending platform Celsius was hit with a data breach yesterday, according to official statements.
The company said attackers gained access to a “back-up third-party email distribution system” with a partial list of customer emails. The fraudsters then impersonated official company communications, asking users to provide their seed phrase—the private list of words that works like a key to users’ crypto wallets.
Customers say they’ve also received SMS messages with phishing links.
Hey Celsians – Our team is continuing to investigate the source of a fraudulent email that some Celsius customers have recently received. We're working to provide more updates as soon as possible.
Read more: https://t.co/iaKt6csLGV
— Celsius (@CelsiusNetwork) April 15, 2021
In a blog post, Celsius CEO Alex Mashinsky wrote that the company is “conducting a full internal investigation to see if there was anything at all that could have been done to prevent this.”
The note also stressed that “all funds are safe,” and that the hackers have not breached any of the company’s internal systems.
But that isn’t to say money hasn’t been stolen from Celsius customers—even if the funds on Celsius’ platform haven’t gone anywhere, fraudulent links sent through email or SMS can allow hackers access to users’ crypto wallets.
Need to clarify – our back-office was and is, as always, safe and secure. Like any company in the world we use many vendors and we are now investigating all of them to find where the list of emails and few phones came from. https://t.co/05rHmku3pQ
— Nuke Goldstein (@NukeGold) April 14, 2021
The Celsius hack is reminiscent of last year’s data breach at Ledger, a crypto wallet provider, where attackers gained access to one million customer emails. Users have since sued over alleged efforts to “cover up” the breach.
Celsius did not immediately respond to a request for comment.