Email provider ActiveCampaign was hit by a social engineering attack earlier this year.
The episode, initially reported in a post by Joe Kelly, CEO of bitcoin company
Unchained Capital on Wednesday, was confirmed by Active Capital.
"ActiveCampaign recently discovered that one or more unauthorized third parties used social engineering tactics to
obtain access to what appears to be a small number of customers’ ActiveCampaign accounts," the company said in a comment provided to MediaPost. "Upon discovering this, we promptly took
action to investigate the incident and, while that investigation remains ongoing, we have notified impacted customers identified to date as well as law enforcement."
The company continues, "The
security of our customers' data is of the utmost importance to ActiveCampaign. We sincerely regret any inconvenience or concern caused by this incident."
Unchained Capital CEO Joe Kelly said
in a Wednesday post that his firm had used ActiveCampaign (AC) until February to support marketing and sales functions.
The limited data that was compromised included email addresses,
usernames, account status (active/inactive) and whether the client had an active vault or loan with Unchained Capital (yes or no),” Kelly wrote.
The event may have
affected “individuals that purchased a service directly through our website, such as Concierge Onboarding, scheduled a consultation, or signed up on our website for updates and our
newsletter," the company said. No shipping addresses were stored on the AC site.
The attack, which occurred on March 10, “was conducted through a live chat tool on AC’s
public website, which did not require any user authentication,” Kelly states.
Kelly says an “attacker impersonating an Unchained Capital employee socially engineered an AC
support chat representative to reactivate Unchained Capital’s account which had been closed on February 17th, 2022."