We experienced a security incident on November 21st and have now completed our investigation. I write to explain what happened, how we handled the situation, and how we can work together to defeat such attacks in the future.
As you may have read in the media, financial institutions have been facing phishing attacks of unprecedented sophistication in recent months. Uphold is no exception.
First, I’d like to reassure you that Uphold was not hacked and no customer funds were stolen. Your accounts remained safe throughout the incident and our security measures worked as planned.
The incident resulted from an attack on our account at a third-party email services provider. We were one of several companies affected. A malicious actor created a fake newsletter titled, ‘Black Friday 15% discount on BTC’ and sent it to Uphold customers. The communication looked like an Uphold email, and owing to the exceptional nature of the breach, came from Uphold’s email address.
We are deeply sorry for the incident and have been busy conducting a review of our security controls and procedures. Keeping your information secure is of paramount importance. As a result, we’ve introduced a series of measures to reinforce our position as one of the most secure financial platforms.
How we handled the incident
The Uphold team took swift action to limit the risk caused by the incident and immediately:
- Suspended our external email service.
- Blocked all outbound transfers to the Bitcoin address advertised in the fake newsletter.
- Notified our customers and started an internal investigation.
- Contacted the Data Privacy Authority Information Commissioner’s Office (ICO) in the UK for transparency and to seek advice.
- Removed the fake online landing page for the newsletter.
How you can help
While your full log-in credentials are secure, we believe there is a risk that your first name, last name and email address may have been disclosed during the incident. This does not compromise your account but may mean that you are likely to receive further phishing attempts.
We urge you to be vigilant. Remember that Uphold will never:
- Invite you to send funds to a Bitcoin, or other blockchain network, address.
- Call you, or ask you to call us.
- Ask you to disclose your username and password.
- Request control of your computer using remote software.
When you log in to Uphold, always check the URL reads: https://www.uphold.com. If you don’t see this, it’s not us. Bookmark our address and don’t use search engines to find us because there’s always a risk they will take you to a phishing site.
To help protect you from phishing attacks we’ve created a security awareness blog, which you can read here https://blog.uphold.com/phishing-scams-dont-take-the-bait.
The nature of ‘phishing’ means that the threat is constantly changing shape. No matter how robust our security measures, they will never provide you with complete protection unless you remain alert and vigilant to suspicious activity.
Like other institutions, we need your help to combat the menace of phishing, and I have no doubt that by working together, we can do so.
If you’d like more information, please do contact me at [email protected].
Chief Information Security Officer