If you’ve been following the ongoing implosion of Celsius, there is another chapter in the ongoing saga.
Evidently one of the third party data management companies they were using had a massive security breach. I could write a summary, but I’ll just let the email notification they sent speak for itself:
We are writing to let you know that we were recently informed by our vendor Customer.io that one of their employees accessed a list of Celsius client email addresses held on their platform and transferred those to a third-party.
We do not consider the incident to present any high risks to our clients whose email addresses may have been affected but are releasing this communication to make sure you are aware.
We have been in ongoing communication with Customer.io. They have confirmed that no other Celsius-related data was compromised beyond those identified email addresses.
To state clearly, Celsius’ systems and security had not been involved or impacted. Celsius’ robust security and data protection management, and our focus on protecting our clients’ data, remain intact.
On 30 June 2022, Celsius identified that one of its vendors, Customer.io, had been involved with a data breach connected to OpenSea. Celsius proceeded to remove all data held with Customer.io. We quickly contacted Customer.io and they responded that, as of that time, no Celsius data had been involved in their breach. Celsius requested all details surrounding the incident.
On 8 July 2022, Customer.io informed us that one of their employees had accessed a list of Celsius client email addresses from Customer.io’s platform, along with lists from several of their clients, and transferred these lists to a third-party bad actor. Customer.io confirmed that, other than the identified email addresses, no other Celsius client data was accessed or taken by the employee.
Evidence of this incident has not yet been provided to us by Customer.io.
Customer.io made a public statement on the matter
Celsius sees this as a severe violation of vendor-client relations, and we have notified the appropriate authorities. Again, we do not consider the incident to present any high risks to our clients whose email addresses may have been affected. Should you wish to contact us for further information regarding the incident, please contact our data protection officer, Charles Roberts, at firstname.lastname@example.org for further information.
Note: Celsius will never ask you for private keys or to send funds to external addresses. Always verify that you’re interacting with the celsius.network domain when receiving emails from us.