In an email to clients and a letter posted on the company website on Wednesday, Unchained Capital CEO Joe Kelly said ActiveCampaign (AC), an outside email marketing provider used by Unchained until earlier this year, was hit with a social engineering attack last week. Unchained Capital is a bitcoin-only financial services provider.
-
Kelly pointed out that the attack occurred on the AC platform, meaning that only information shared with AC – client email addresses, usernames, account status, whether the client had an active multisig vault or loan with Unchained Capital and possibly IP addresses – may have been exported without authorization.
-
Not compromised, said Kelly, were any of Unchained’s systems, meaning client profile information that was never shared with AC was not leaked. This would include data like physical addresses, Social Security numbers, dates of birth, IDs, phone numbers, bank account numbers, passwords, bitcoin addresses, bitcoin balances, loan balances, trading activity, vault statements and loan statements.
-
Kelly added that while client bitcoin custody is protected by multisig cold storage, clients nevertheless should be aware of what happened and be vigilant against phishing attacks.
-
“We are deeply sorry this incident occurred as we take our client’s privacy very seriously,” concluded Kelly. “We want to reinforce the fact that, due to our collaborative custody model, no such incidents could ever put any client funds at risk.”
