Celsius has confirmed that a list of client email addresses was stolen by an employee of Customer.io, increasing the risk of phishing attacks by malicious third parties.
According to Celsius, the email addresses were held at Customer.io for the management of marketing campaigns, and for that reason, no account details were linked to the data. Celsius was quick to downplay any potential risks from the theft, claiming the leak did not “present any high risks to our clients.”
Despite Celsius’ assertions, the leaked information will open customers to additional threat vectors when they can least afford it. On June 13 Celsius suspended all customer withdrawals blaming “extreme market conditions.”
Another fine mess
The latest slice of misery to befall Celsius users is by no means unique to the beleaguered lender.
On July 1 an employee of Customer.io accessed the email database for OpenSea. They then leaked that data to an outside party. It now appears that the same former employee was behind the Celsius breach.
On Thursday Celsius sent an email to its customers to confirm: “Customer.io informed us that one of their employees had accessed a list of Celsius client email addresses from Customer.io’s platform, along with lists from several of their clients, and transferred these lists to a third-party bad actor. Customer.io confirmed that, other than the identified email addresses, no other Celsius client data was accessed or taken by the employee.”
Despite this, questions about the breach and the role Celsius played remain. According to the email Celsius first identified that there was a possible issue on June 30. At that time they removed all Celsius email data held by Customer.io.
Customer.io confirmed that one of its employees had accessed the Celsius email database on July 8. The obvious question is why did Celsius wait until July 28 to inform their customers about the breach?
The reaction to the latest calamity to befall Celsius was less than positive.
On June 12, the day before Celsius suspended withdrawals, Mahinsky took to Twitter to call out “FUD and misinformation” on the project. The CEO went on to add, “do you know even one person who has a problem withdrawing from Celsius?”
Mahinsky stopped posting to the social media platform on June 15.