Celsius Customer Emails Breached by Third Party

hacker with Celsius logo on laptop

The embattled crypto lending platform, Celsius, has informed customers today that their email delivery vendor, Customer.io, was breached by an employee who gave the information away to an unknown third party with malicious intent.

No employee would turn on their employer with this amount of customer information unless there was a better monetary incentive to give this information away. In other words, this particular employee sold Celsius customer email data to a bad actor.

Celsius doesn't care about their customers

Open Sea customer emails were breached last month too, since they also use Customer.io as an email delivery provider. However, Open Sea warned affected customers that they were now open to an increased risk for email phishing scams. This is an obvious fact, but Celsius failed to mention it to their affected customers. Despite Open Sea also being a centralized company, they still appear to have more transparency than Celsius, which pocketed billions of dollars in customer lent crypto.

In a vague statement by the Celsius team, who is currently facing bankruptcy court proceedings, they said:

"We are writing to let you know that we were recently informed by our vendor Customer.io that one of their employees accessed a list of Celsius client email addresses held on their platform and transferred those to a third-party. We do not consider the incident to present any high risks to our clients who email addresses may be affected."

What to do next

This is a good reminder that when a company uses a third party email delivery provider, you are at heightened risk of your email address being leaked since you trust them to store the data on their servers.

It is always best practice to use a throwaway email address for newsletters and such, since in case an event like this occurs, further personal information won't be at risk. Those affected in this data breach (or any at all) should change other important accounts associated with the breached email address as soon as possible.