This post was updated on Dec. 29, 2023, to reflect new information
Shakepay believes in being transparent, which is why we want to share details about a recent data incident that affected a small number of our customers and how we responded now that our investigation is complete.
Scope of data impacted
Our investigation revealed that, between March 22, 2023 and December 13, 2023, a malicious actor was able to extract the personal information of a small number of our customers, accessing two different data sets.
The first data set came from our internal platforms. The information potentially accessed included name, email, address, date of birth, phone number, occupation, trusted contact, account balances, and transaction activity. We directly contacted all impacted customers via email on December 14 and published information on our blog and social channels.
The second data set, which was accessed by the same malicious actor between December 10 and 13, came from a third-party platform we use for customer communications. The information potentially accessed includes: name, email, job title, IP metadata, and account details/events (such as 2-factor authentication method, whether the account has a balance, and whether a deposit was made). Account balances, value of deposits, addresses, and phone numbers were not accessed. On December 29, we sent out an email to potentially affected customers notifying them that they were impacted.
All customers affected by this data incident have been contacted directly.
We can confirm that no bank accounts, crypto wallets, custodians, customer credentials, or customer identity documents were compromised in this breach.
A timeline of events
On December 13, we detected suspicious activity on an employee’s work device. Our security team launched an investigation as part of our incident response protocol and immediately locked, deauthenticated, and offboarded this device, and revoked all access. The employee was immediately suspended to allow us to conduct an investigation.
On December 14, we notified customers in the first data set that their personal information may have been extracted by this malicious actor. We were able to quickly confirm the list of impacted customers and scope of data as our internal monitoring protocols log all employee access to these systems.
The same day, out of an abundance of caution, we disabled withdrawals for some impacted customers. Days later, on December 22nd, we introduced an advanced verification process for these customers which, when completed, re-enabled their access.
On December 18, we received access logs from our third-party customer service platform and, over the next week, confirmed that an additional group of customers may have been impacted. As this information was dependent on third-party cooperation, this part of the investigation took longer than expected.
On December 22, we terminated the employee whose device was the source of the breach for not having followed internal security and operating policy.
On December 29, we directly contacted all impacted customers in the second data set to notify them and published this post explaining the timeline of events and the scope of data that was impacted.
As soon as we became aware of this incident, we focused on the following priorities:
- We launched additional verification for customers performing critical financial activities (such as withdrawing crypto). Certain customers will now be required to re-verify their accounts with face authentication when performing these activities.
- We’ve strengthened internal monitoring and detection systems to catch events like this earlier.
- We’ve increased customer support reps by 35% since December 13 to help improve our customer service response time. We’re continuing to invest heavily in improving our customer service, and customers can expect significant improvements over the coming months.
While this breach is not representative of the customer experience we’d like to offer, it’s worth noting that many of our internal controls, including background checks for all employees, layered and permissioned access to internal platforms for positions dealing with sensitive information, and at-rest encryption for sensitive information, significantly reduced the number of customers impacted by this incident.
As always, we’d like to continue to encourage customers to be aware of signs of suspicious activity and especially alert for emails, text messages, and phone calls asking you to change your password, withdraw your funds, confirm or reject a transaction you didn’t perform, or sign in to your account through suspicious links. Enabling an Authenticator app is also strongly recommended to all customers.
We recognize the seriousness of this incident, which is why we’re taking important steps to address it. Our focus is not only on resolving this incident, but also on learning from it and making any possible improvements to better protect our customers in the future. Security remains at the forefront of everything we do, and we’re grateful for your continued support.
The following is our original blog post, as published on Dec. 14, 2023
Customer privacy and security are central to everything we do at Shakepay, and we aim to always be transparent. We’re writing this today to inform you of potential unauthorized access to a very small number of our customers’ personal information held at Shakepay, and what we are doing to help manage this.
We want to emphasize that only data was compromised. No bank accounts, crypto wallets, custodians, or customer credentials were affected.
On December 13, 2023, we detected suspicious activity on an employee’s work device. Our security team launched an investigation as part of our incident response protocol and immediately locked, deauthenticated, and offboarded this device.
Our investigation revealed that, between March and December 13, 2023, a malicious actor was able to extract the personal information of a very small number of our customers.
We suspect that the following personal information may have been part of the breach: name, email, address, date of birth, phone number, occupation, trusted contact, account balances, and transaction activity.
Be aware of signs of fraudulent activity
We strongly encourage you to be aware of signs of fraudulent activity. Here is how you can protect yourself:
- Upgrade to a strong method of securing your Shakepay account, such as enabling two factor authentication with an authenticator app (TOTP).
- Be aware of suspicious emails, SMSs, and phone calls with links requesting you to change your password, to withdraw your funds, to confirm/reject a transaction you did not perform, or to login through suspicious links. Please consider these calls you may receive to be malicious, and do not respond.
- Only login through the Shakepay app or on https://shakepay.com.
- Change the password on your Shakepay account by going in the app and clicking “Forgot my password” on the sign in page. Create a strong and unique password that you do not use on any other site. Ideally, use a password manager, like 1Password.
As soon as we became aware of this incident, we put in place additional security measures for affected customers.
We also set up a dedicated email address for our customers who have been affected. This address has been sent to potentially affected customers directly.
We want to help those affected make sure that they’re at minimal risk of identity theft during this time, so we will be providing free credit monitoring for two years to affected customers who are interested. This way, they'll receive credit report alerts so they can monitor them and act quickly if necessary.
In the meantime, Shakepay is contacting relevant local and regulatory authorities, and will be working closely with law enforcement to support its investigation into the individuals behind this incident. Our investigation is ongoing.
Your trust is the most important thing for us at Shakepay and we will do everything we can to maintain it. Please know that the security of your money and personal information is always our top priority, and we continue to carefully monitor the situation and use every recourse to protect your personal data and pursue bad actors.
All customers who are potentially affected will be contacted directly. If you are not contacted, it means that you are not affected.
If you need additional assistance, please reach out to our customer support team.