- Key insight: Threat actors likely used “vishing” or voice phishing to compromise IT support at a third-party vendor, believed to be Salesforce.
- What’s at stake: While account passwords weren’t compromised, exposed data included names, emails, and for some, physical addresses, phone numbers, and birthdates.
- Supporting data: Threat group ShinyHunters claimed responsibility, listing a database it alleged contained over 2 million records with personally identifiable information.
Overview bullets generated by AI with editorial review
Processing Content
A data breach at robo-advisor Betterment exposed the personal information of nearly 1.4 million customers, according to a Thursday update from breach notification service Have I Been Pwned.
Betterment did not immediately respond to a request for comment. In its
The incident involved unauthorized access to third-party marketing and operational platforms — likely Salesforce, though neither company has confirmed as much.
The fintech has said that the primary impact of the breach was exposure of customer names and email addresses — not customer accounts, passwords, or login information. A subset of users also had physical addresses, phone numbers and birthdates exposed, according to Betterment and Have I Been Pwned.
Have I Been Pwned said its 1.4 million figure regarded unique email addresses breached.
The breach is yet another example of the third-party risk facing financial institutions, particularly as threat actors increasingly target the software-as-a-service ecosystems that banks use for customer relationship management and marketing.
It first became apparent that a problem was brewing on Jan. 9, when I and other Betterment customers received an email with a subject line addressing the customer by name, saying, “we’ll triple your crypto sends!”
The message urged users to send bitcoin or ethereum deposits to two addresses listed in the email, with a promise that Betterment would be “adding tripling (sic) Bitcoin and Ethereum deposits for the next three hours.”
Betterment followed up with an email two hours later saying that attackers used unauthorized access to a third-party platform to send the fraudulent message, and the supposed offer should be disregarded.
The company said the next day that if any customers clicked on the email, it did not compromise their Betterment account, and that it had “no indication” at the time that the unauthorized individual had any access to Betterment customer accounts.
Two days later, on Jan. 12, the company admitted to customers that there had been a breach of certain customer “names, email addresses, physical addresses, phone numbers and birthdates.”
ShinyHunters claims responsibility
Betterment has not explicitly named the compromised vendor, but the details align with a broader campaign targeting users of Salesforce, the customer relationship management giant.
A threat group known as ShinyHunters claimed responsibility for the attack two weeks after the fraudulent email went out to Betterment customers.
On its victim shaming and data leak site, ShinyHunters listed a Betterment database it claimed contained “over 2 million records containing Personally Identifiable Information.” Confusingly, the threat group has also claimed there are 20 million total records.
ShinyHunters has been targeting Salesforce instances to breach other companies including Crunchbase and SoundCloud, and while Betterment has not confirmed whether Salesforce is involved in this data breach, it has described the entry point as “third-party software platforms” used for marketing and operations.
Google Threat Intelligence first reported in June that a threat group using the ShinyHunters brand was compromising Salesforce instances and making subsequent extortion attempts. The company said threat actors executed these breaches through sophisticated voice phishing, or “vishing,” campaigns rather than technical exploits.
In such attacks, operators impersonate IT support personnel to trick employees into providing credentials or multi-factor authentication codes. Once they gain access, the attackers often register a malicious connected app — sometimes disguised as the legitimate Salesforce “Data Loader” tool — to exfiltrate customer data in bulk.
This method allows them to bypass traditional network defenses by leveraging the trust inherent in the identity fabric of the SaaS platform.
Salesforce responds to social engineering campaign
Salesforce has said that these incidents do not stem from a vulnerability in its platform but rather from social engineering tactics. The company also said it actively monitors these campaigns and has alerted potentially affected customers.
Salesforce security teams have updated guidance on defending against identity compromise and vishing. To prevent similar third-party compromises, the company has advised customers to enforce phishing-resistant multi-factor authentication, such as FIDO2, particularly for SaaS admin portals.
Other red flags accompany these campaigns. Security teams can watch for large data downloads, bulk exports and the registration of new API tokens or connected apps.
Minimizing the amount of sensitive customer data stored in marketing platforms can also reduce the “blast radius” of such an attack.
