Email provider ActiveCampaign was hit by a social engineering attack earlier this year.
The episode, initially reported in a post by Joe Kelly, CEO of bitcoin company Unchained Capital on Wednesday, was confirmed by Active Capital.
"ActiveCampaign recently discovered that one or more unauthorized third parties used social engineering tactics to obtain access to what appears to be a small number of customers’ ActiveCampaign accounts," the company said in a comment provided to MediaPost. "Upon discovering this, we promptly took action to investigate the incident and, while that investigation remains ongoing, we have notified impacted customers identified to date as well as law enforcement."
The company continues, "The security of our customers' data is of the utmost importance to ActiveCampaign. We sincerely regret any inconvenience or concern caused by this incident."
Unchained Capital CEO Joe Kelly said in a Wednesday post that his firm had used ActiveCampaign (AC) until February to support marketing and sales functions.
The limited data that was compromised included email addresses, usernames, account status (active/inactive) and whether the client had an active vault or loan with Unchained Capital (yes or no),” Kelly wrote.
The event may have affected “individuals that purchased a service directly through our website, such as Concierge Onboarding, scheduled a consultation, or signed up on our website for updates and our newsletter," the company said. No shipping addresses were stored on the AC site.
The attack, which occurred on March 10, “was conducted through a live chat tool on AC’s public website, which did not require any user authentication,” Kelly states.
Kelly says an “attacker impersonating an Unchained Capital employee socially engineered an AC support chat representative to reactivate Unchained Capital’s account which had been closed on February 17th, 2022."