The HubSpot Hack | The SaaS Backdoor to Bitcoin - ft. Scott Kisser (CISO, Swan Bitcoin)
Welcome to The CISO Signal True
Cybercrime podcast. I'm Jeremy Ladner.
This breach didn't start with malware
or ransomware or a dramatic takedown.
It started with something
far simpler and far more dangerous.
A single phished password, a SaaS vendor,
and an attacker who suddenly had the keys
to thousands of downstream victims.
In March of 2022, HubSpot
confirmed that attackers
had quietly slipped past its defenses.
Weeks later, Klaviyo revealed the same.
On paper,
the SaaS companies were the ones breached,
but in reality,
the real targets were the businesses
depending on them,
especially Bitcoin and crypto firms
whose customers
suddenly found themselves
in the crosshairs.
Because once the attackers controlled
the vendors internal tools,
they didn't
need to break
into every company individually.
They could impersonate them.
Emails crafted with perfect
branding, landing pages
designed to
harvest seeds, credentials,
and anything a person needed to protect
a compromise
in the middle, weaponized at the edges.
So the question becomes
who was really hacked?
And how do you defend
against an adversary
who never touches your infrastructure?
Because they've already infiltrated
the inbox of the vendor
you trust every single day?
This week's guest CISO co-host is
Scott Kisser,
chief information
security officer at Swan Bitcoin,
a company directly
affected by this attack.
Scott's career spans
more than two decades,
leading security operations
at Salesforce,
DocuSign, Amazon and many, many more.
He has built global
security programs,
led intelligence teams,
and defended some of the world's
most targeted systems across
cloud, SaaS and fintech.
Scott, it's
great to finally have you on the show.
Welcome to the podcast.
Great to see you again, Jeremy.
Thanks for having me on.
I'm glad it worked out.
Are you ready to get started?
Absolutely.
Let's begin the investigation.
We are in the midst of a ceaseless war.
But of bombs or bullets, but of breaches,
firewalls and silent incursions.
The targets.
Our borders are banks, our commerce
and the critical infrastructure
that underpins a free civilization.
The enemy is cloaked in code,
fueled by greed,
glory, and a desire for chaos.
This is the story of the unseen
protectors, the nameless
generals, the CISOs,
chief information security officers.
They are the guardians at the gate.
The watchers on the wall.
Ever vigilant and always listening
for The CISO signal.
Act I
The Treasure Hunt
In mid-March of 2022,
HubSpot confirmed
what many security teams fear most.
A single employee
account had been phished,
and with it,
an intruder
slipped in through the breach,
gaining access
to dozens of customer environments,
most of them
tied to bitcoin
and cryptocurrency companies.
Names, emails and contact details.
Not private
keys, not ledgers,
but enough to draw a clean line
from marketing lists
to real users holding real value.
Among them was Swan Bitcoin.
And somewhere
in that 24 hour fog of alerts and emails,
a notification landed
on the desk of Swan's CISO, Scott Kisser.
Okay, Scott, this is it.
You know you've been attacked.
What's your first move?
When I first learned about this breach,
my first indication is
how are our systems?
How is Swan Bitcoin's systems.
Is there anything to worry about?
Initial checks
and everything is sound on our side.
Allowed us to focus
directly with the HubSpot team.
To their credit,
they had amazing customer outreach.
Of course, during these critical events,
we quickly learned
that Swan
Bitcoin was not the sole target.
HubSpot reached out,
and with their early information
about the breach,
they specifically confirmed
it was on their platforms.
It was due to a phishing breach,
and then also that others were involved
as well.
From that moment
on, we're in triage mode,
working with HubSpot
to make sure we can assist them
as best possible.
But more importantly,
we can take care of of our clients,
our customers,
and make sure
that our customers are apprized
of what's going on
and what data was involved.
HubSpot would later confirm
that this wasn't some zero day
hiding in their code.
It was something older, simpler,
and far more human.
An employee was involved... and a message
and a request that felt routine.
A login page dressed up
to look like Okta.
In the end,
the attacker didn't need to break in
because like a vampire
from a classic horror film,
they only needed one thing an invitation.
And with a single social
engineering click,
they were welcomed past the threshold.
From there,
the stolen login opened the door
to internal tools,
the same tools
that guarded customer portals.
Very quickly
we learned that a critical administrator
on the HubSpot platform was Phished.
The information
that we received from HubSpot was
it was an
SMS text, a link that looked like Okta.
The setup for the phish was,
also paired with a phone call.
And the phone call told the attack
victim, we're going to send you
an SMS text - we need you to reauthenticate.
to the Okta login.
ultimately,
that's exactly how
that user was compromised.
Once inside,
the attackers didn't hesitate.
They weren’t after Hubspot's brand.
They were after Hubspot's customers.
And not all customers,
just the ones whose clients held
Bitcoin
customer portals became directories.
Marketing lists became targeting maps.
Every field, every record, every export
button was now ammunition.
And in a single step,
the boundary between
we use a SaaS provider and we just exposed
our users became razor thin.
You can build security and build
confidence in platforms,
but the human is the weakest
link in a lot of these supply chains.
There are a lot of factors
that go into social engineering,
making sure the employee
or the target is under duress,
using language
that is coercive, using language
that is threatening for
that attacker
to hit the target with some action.
And so whether it's an email,
a phone call or an SMS,
there are ways
to, you know,
gin up the conversation
to make sure that that target
is taking action.
It is absolutely critical
that everybody knows what's at stake.
Okay. How about some advice?
What is the
high level advice
you can offer to employees
of organizations
who may not be on the security
front lines in the traditional sense,
but still may be targets
of social engineering
and phishing attacks.
Some of the simple things
that we want to focus on
is trusting the sender.
It's very easy
to go into an email in your inbox
if it says this.
Emails
from ABC to do an actual check on domain
of the email lines up with the
just the name field.
And also like the typical stuff
of threatening language,
is it asking for something abnormal?
Gone are the days of misplaced English
or misplaced sentences
with the tools and technology
that's available today.
These are well-written, well-crafted,
well delivered type of attacks.
I think customers and users
of these services
should absolutely understand
what's normal behavior
for my provider to contact me.
Should I expect a phone call?
Is it Friday afternoon?
Is it sent with a sense of urgency?
Is it to gain your trust?
And ultimately,
I think users should be able
to, at any point,
hang up,
delete the email,
pick up your own phone
and call the service
provider number
to make sure everything's
okay with your account.
I would say nine out of ten
type phishing emails.
Start with
there's a problem with your account.
Well, okay.
That's great.
I'm going to hang up
and call the official number,
or I'm going to hang up and send an email
into the official customer support area.
I think that's critically important
and it changes the way of
normal business today.
Act II
Harvesting the Haul
Officially, the breach
hit a SaaS provider in Cambridge,
but unofficially,
its impact
rippled downstream
straight into the Bitcoin firms,
whose users data
now sat neatly
exported in a criminals spreadsheet.
Swan wasn't a hacked its systems held,
its wallets were untouched.
But the attacker had gained something far
more operationally valuable.
A complete
index of crypto customers
that they would now convert
into a list of targets. Within HubSpot
they phished a senior level admin
for their portal.
Once they had access,
they immediately
worked to find all of Hubspot's
cryptocurrency clients,
and then they did a data dump
for all of those clients customers.
And it was very precise, very targeted.
And now that they have this
trove of information,
they can go play their game forever.
Within days,
the quiet compromise of a SaaS account
turned into a deafeningly
loud battle zone.
In customer inboxes. Emails
that look like familiar brands,
subject lines
that sounded like routine
security notices.
Pages designed to capture
recovery seeds
and reset passwords, or verify accounts
before something
‘terrible’ supposedly happened.
For Swan, the breach hadn't touched
internal systems,
but it had given attackers a clean list
of who to impersonate and who to scare.
You know, immediately, our response
focused on customer outreach,
customer identification.
Who is involved in this data set loss?
Not everybody was involved.
And how do we reach out to them
and explain to them what happened?
Now that the attackers have this
data set,
you should expect to be phished.
It's going to look like
an impersonation of Swan Bitcoin.
It's going to look like
an impersonation of outreach.
Here is our official paths
of communication.
Here's how we reach out to you.
A lot of customers
don't understand
the official paths of communication.
If I'm a customer and all of a sudden,
you know,
I get ten phone calls coming in from,
they all say they're Swan Bitcoin
or they all say they're they're BlockFi.
As a customer of these platforms,
is it abnormal
that I'm getting outreach
to the attacker?
This was a numbers game
with a personal touch. Call
enough users send enough emails.
Sounded just close enough
to legitimate support.
Use the right language.
Maybe a little urgency,
a little fear,
a little manufactured confusion.
And then once the trust is gained,
make the ask.
Log in here, reset your password.
Confirm your wallet details.
Not because the portal was compromised,
but because the person was. The attacker
targeted these 30 companies
and the attacker
knew what they were going to go after.
Gain confidence,
and then all of a sudden make the ask
and the ask
is either going to be in the form of
we need you to change your password.
We need you to log in and do something
to your account. With cryptocurrency
If there's self-custody
and to do Self-Custody,
you enter
your wallet address into the platform
and then it's either a scheduled send
or it's automatic,
but you have the ability.
The user has the ability
to send your assets from the exchange,
from the platform
to your individual wallets.
Once the attacker has gained confidence
and that trust
with the customer,
manipulation is the games and they want
those assets.
So I think it's safe to say that
just about every organization,
regardless of industry,
is using multiple SaaS tools right now.
That brings with it
an operational reliance
and a security dependency
when it comes to data
that some may argue is equal parts
risky and unavoidable,
all in service
of maintaining productivity.
How do you view SaaS reliance
and how do you protect against it?
I think it's a great question.
One of the things
I think that's critical,
if I'm talking to a CRM
vendor, is
I really want to understand
who's touching my account.
If these are the crown
jewels of my company,
I want to make sure that
that they understand that,
that they're working with me.
Number one,
is it appropriate for a single admin
in a CRM environment
to have access to all customer tenants?
Simple questions like this.
And then also for those critical
third parties.
Is there a quarterly
bi annual touchpoint
with the counterpart on...
Maybe it's not just the security team,
but maybe the counterpart
is making sure that parts
of the security team connect
with the customer
outreach team on the CRM side,
making sure that,
any type of features
that are introduced
or any type of protocols
that are established
have oversight from the security team.
Sometimes it's not about customer data.
Sometimes it's actually
about moving cryptocurrency
or bank funds.
One element
that I think is underrated
is data deletion.
If somebody is on a marketing list,
that's great.
But if there's no engagement,
no activity, it's
okay to have rules in place,
you know, expire that type of PII data
after a year, after 18 months,
after a period of time.
This data is absolutely critical
to our business, and we want vendors
and partners
that, have the same type of mentality.
For years, the
story told to crypto users was simple
take control.
Be your own bank.
What hadn't been discussed,
at least not clearly
and loudly
enough, was the second half
of that sentence.
Here's what
that actually requires of you.
When someone shows up in your inbox.
Swan's response was not to promise
perfect protection.
It was to make customers harder to fool
which messages to trust
which channels they actually use.
Why?
You might want to have one email address
for marketing noise,
and a completely different
one for the accounts
that can move your money.
It starts with education.
If I am a customer of an exchange,
a provider, I want to be informed.
I want to understand
best practices on wallet custody.
I want to be informed about
what's the temperature of the threats
in 2022.
We went on a huge campaign
to educate our customers
about, being targets,
that the form of a voicemail
is that, is it a text message?
Is it an email?
And on the education front,
I would kind of add this
if I'm a privacy focused individual,
I want to make sure
that I've got a marketing email
and then I have a transactional email.
And those transactional emails
are the ones that I have
with my most sensitive, third party
financial providers.
And I know that that email is not,
should not be compromised
if it is out there.
There's other issues to worry
about, but, a lot of customers don't
think of it as a
I need a marketing front door
and I need a transactional front door.
And I think that's one way to limit
the blast radius for the individual.
When a breach like this hits
the headlines,
the instinctive question is who failed?
But the harder question for CISOs is
who have we allowed
to hold our crown jewels?
And how often do
we actually check their hands?
HubSpot and Klaviyo
became cautionary examples
not because they were
uniquely vulnerable,
but because they were visible
in almost every organization
there's a quiet list of SaaS platforms
that see customer data,
transactional data,
and sometimes even the routes
money takes.
And in many of those platforms,
a single overprivileged admin account
still has the keys.
Ceding
trust to other companies
is rather difficult.
It should be a hard decision.
You want the best provider out there.
And I think in this particular case,
when the breach happens
with an outside third party,
the postmortem is minimal.
We focused a lot on having,
I would say, playbooks
ready for emergencies
with all not only CRM
providers,
but our digital custodians
on our back end,
making sure playbooks
exist and making sure
scenarios are at least discussed.
Those range
from not only data breaches,
but also like loss of keys or outages.
A postmortem
with this one in particular,
HubSpot and Klaviyo.
You know,
I commend their teams
to having an outreach element
to work with their customers
who are impacted.
And then also regular cadence
and reaching out
and making sure, like,
we've got a point of contact
with every third party vendor
so that in the event of or “hey,
we're running
scenarios and tabletop exercises,
would you like to participate?”
I think those are key.
The biggest postmortem in
this one was customer education.
This one took it up
a level
to the point where
the industry
was already being targeted
and being attacked,
the continual customer
education on how to contact a company
if there's problems,
if phishing attacks are sent, here's
what to expect.
Our users really loved it,
and they appreciate
not only insights in the industry,
but also the efforts
that we're taking to make sure
that they're well informed.
Act III
The Official Blast Radius
There's another uncomfortable truth here.
Data that never existed in a vendor's
systems can't be exfiltrated.
Marketing platforms
are built to keep lists warm,
not to let them go.
But from a CISOs
point of view, stale PII isn't an asset.
It's kindling soaked in gasoline.
Shorter retention, automatic expiry
for dormant contacts,
and a willingness from vendors to delete
what's no longer needed.
These are no longer ‘nice
to have’ features.
They're part of the blast
radius calculation.
One of the metrics that we use is
how many partners are we sharing
critical data with,
and what can we do to reduce that
to zero?
Making sure
that these are the right third parties
to help us with our business mission.
A lot of those third parties
are happy to sign a contract
and turn on the service,
and you can file a support ticket,
but you know the support's not there
or it's very weak.
And as a small company,
as a small provider,
I recognize that
we're not your largest client,
but we are a fairly critical client.
And working with the third party
to do a joint tabletop exercise.
In the case of a breach
or a simple,
you know, certificate that's expired.
I don't want to see a simple soc2.
I don't want to see
a simple ISO certification.
I want to see, like your commitment
to your security roadmap,
making sure like,
you know, HubSpot or Klaviyo,
if they're committed to changes,
making sure those changes
are implemented, the stakes are higher.
And I think the SaaS providers
need to understand
that the stakes are higher. Inside Swan
there could have been an easy out.
This was a vendor problem.
Their employee clicked
and their tool was abused.
But that's not how it feels
when your customers
are the ones getting the phishing calls
to a user
there's no neat separation
between our SaaS provider and our brand.
If they trusted Swan
enough to deposit value
and that trust is shaken,
the nuance of third party risk
doesn't really matter.
But you want to provide
the best customer experience,
the best trusted platform
for your customers.
And I think in this particular case,
we let everybody down.
You know,
we're looking at the
events of what happened.
Are we in control of somebody
from a third party getting Phished?
No we're not.
But fundamentally,
we let our customers down
and we are making sure
that they're well informed, educated.
And I think the
the main point here is like
cryptocurrency is fairly
new and usage of cryptocurrency
is fairly new.
And one of my missions is to make sure
that the people have the right education
so that they're comfortable.
For more than a decade,
the industry has been selling
a simple promise.
Hold your own keys.
Be your own bank,
and don't trust intermediaries.
Well, the HubSpot and Klaviyo
incident exposed is a different,
quieter reality.
Even in Self-Custody,
there are still intermediaries.
SaaS tools, marketing platforms,
support systems.
They shape how attackers find you.
Being your own bank doesn't
just mean holding your seed phrase.
It means
understanding that social engineering,
phishing, and vendor breaches are now
part of your personal threat model.
The industry has spent years trying
to explain the benefits
of being your own bank,
but they have not explained
and they have not carried up with...
If you are choosing to be your own bank,
here are the security protocols
that you need
to at least evaluate for your own self.
Prior to cryptocurrency
and prior to Self-Custody,
there was very little user
targeted attacks,
but the game has changed
and with the rise of Bitcoin,
we are finding that a lot of the targets
and a lot of the attackers are following
that rise.
As I mentioned,
like we're well overdue
to make sure that these users understand
that if they are interested
in cryptocurrency and Bitcoin,
that they are using
appropriate safeguards
and they understand the attacks
that are coming to them.
On the SaaS side,
the lesson is just as sharp.
If you hold the marketing lists
and the contact data
and control the knobs,
they can nudge users into action.
You're not just a platform,
you are a potential launch
pad for someone else's breach.
Basic phishing
training that checks
an audit box isn't enough
when you're admins
can see across dozens of crypto
tenants at once.
Real adversarial testing,
targeted campaigns
against your own support teams,
and internal controls
that assume an employee will click.
Those are the table stakes.
Now. You know, if I'm a SaaS provider.
Things that ring, louder in
in post-mortems
for this type of a data breach
are the best phishing training
the industry and CISOs
get caught up
with satisfying compliance check box.
And if they have a phishing
training in place,
that's satisfying the audit,
there's probably
very little desire to change.
But if you are a company like HubSpot
or Klaviyo
or Salesforce in the news recently,
you need to go above and beyond the basic
phishing training.
There are great providers out there
that will do a targeted campaign
to socially engineer
their way into SaaS providers
customer support.
Those projects are immensely valuable
because you actually have somebody
that a human is going to spend
time and attack these companies
and test their protocols.
The stakes are higher.
SaaS providers need to understand that.
as a CISO, you make purchasing decisions
for security solutions
and influence purchasing decisions.
When it comes to SaaS vendors,
what should those vendors know
about what you and other
CISOs value most in relation
to attacks
like the ones experienced by HubSpot
and Klaviyo?
There needs to be.
You know,
we saw recently with AWS
and some of the bigger attacks
like Salesforce
and last year, CrowdStrike.
Like there
is probably an overreliance
on SaaS related platforms and technology,
whether it's the resiliency
or just uptime
or actually having support over
customer data that needs to be looked at.
What I want to do is find partners,
want to support us in a manner
that is secure,
are willing to delete data...
you know, actually implement
a policy
like data is deleted
after X days or months or weeks. Long
gone are the days of
just signing up and using SaaS,
providing services,
and just turning on default and
and not looking at it.
All right, Scott, last question for you.
You've been doing this
for decades at this point.
I imagine that you've had lots
of wonderful mentors.
What was the best piece of advice
that you received
that you can share with our audience of
CISOs and security leaders?
I think
the best piece of
advice that I got
from my old manager at Amazon,
it was the first time
in Amazon’s history
where they actually implemented payments
Tokenization.
Prior to tokenization,
a credit card number
was just being floated around,
and that credit card number
was the tokenization.
The advice was simply
that we can operate
at an absolutely pristine
and high level of security,
but you are not going to be able
to do business.
And I think that really
put into perspective,
you need to, as a CISO,
need to understand the business
by understanding how business operates.
You understand their priorities,
what's important to them,
and you're able to work
as a better partner
with all the stakeholders.
Scott, thanks for being on the podcast.
It was great having you here.
I hope you'll come back again
and join us soon.
Absolutely.
Pleasure to be here
and I look forward to seeing all the
stories that you guys have.
This is where the
story bends
away from the usual cybercrime script.
In so many breaches,
the final scene is familiar.
There's a ransom notes
and drained wallets.
Executives reading apologies
under fluorescent lights here.
That didn't happen.
HubSpot cut off
compromised accounts
and went public quickly.
Crypto companies,
including Swan, moved fast to warn users
not weeks later,
but within hours or days.
And as the dust settled,
no public evidence emerged of large scale
wallet drains
tied directly to these vendor incidents.
Funds stayed
where they were supposed to be.
That doesn't mean the impact was trivial,
though.
Of course,
the real cost was measured
in shaken confidence
in hard conversations with customers,
in security leaders
rewriting their third party playbooks.
But it also left behind
something rare in this space, proof
that clear communication
and rapid response
can blunt the edge of an attack.
In a world
where one employee's click at a vendor
can ripple all the way down
to a hardware wallet on a kitchen table,
this is the new reality for CISOs.
You can harden your own walls,
but somewhere
a stranger
is still holding the map
to your crown jewels.
The question isn't
whether that map will ever be targeted.
The question is, what will you do
and how prepared will you be when it is?
And so we remain forever vigilant
and always listening for The CISO signal.
All episodes are based on publicly
available reports, postmortems,
and expert analysis.
While we've done our best
to ensure accuracy,
some cybersecurity incidents
evolve over time
and not all details have been confirmed.
Our goal is to inform and entertain,
not to assign blame
where facts are unclear.
We've used cautionary language
and we always welcome your corrections.
Thanks for listening
to the seasonal signal.
