Nothing is more important to us than complete transparency with our community. That's why I'm updating you with all of the details we currently have about a recent security incident that has affected some of our Celsius customers.
I'll start with the most important news: all funds are safe. Our back-end systems remain fully secure and have not been breached. Customer funds and sensitive data are not affected nor connected to any front-facing or external communications platforms.
Our incredibly talented security team is working around the clock to investigate what happened. Below is a summary of what we know so far.
On April 14, 2021, Celsius customers began reporting a fraudulent website claiming to be an official Celsius platform. We also became aware of some Celsius customers receiving SMS and email messages, that claimed to be official Celsius communication, linking to that website, and prompting recipients to enter sensitive information.
What we know:
An unauthorized party managed to gain access to a back-up third-party email distribution system which had connections to a partial customer email list. Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers.
The intent was to make the recipients believe the fraudulent email came from Celsius, that the fraudulent site was a true Celsius site, and to take ownership of recipients’ cryptocurrency assets from their personal (non-Celsius) wallet by prompting the user to provide the seed phrase to their personal wallet address.
**NEVER GIVE ANYONE YOUR SEED PHRASE OR PRIVATE KEY**
What we are still investigating:
Our team is actively working to understand how the unauthorized party managed to gain access to the third-party email distribution system and the source of the list used to send fraudulent communications via SMS.
We are checking with all of our third-party vendors and within other recent external/public data leaks to understand where this information came from and if third-party platforms have been vulnerable to any related incidents. We know that customers who had not registered an email or phone number with Celsius also received fraudulent messages to these contact details, thus we believe the data was collected from external data sources.
What this means for Celsius customers:
Our security team is currently working to identify and notify any Celsius customers who may have been affected by this event. If you received any of the fraudulent messages:
Report the message as spam
Do not click any links
Do not provide any personal or confidential information
Keep 2FA enforced on all your accounts
Update your account credentials regularly
Check if your information has been shared in any recent data leaks
Official communication, product updates and promotions are communicated through our verified channels. The only official email and website domain for Celsius is celsius.network.
As a reminder, Celsius will never ask you for your private keys, passwords, or PIN codes.
Any communications or activity that you suspect did not originate from Celsius should be forwarded to our security team at email@example.com. For Celsius security insights and general user security best practices, you can learn more on our website.
What we are doing going forward to ensure this does not happen again:
We are conducting a full internal investigation to see if there was anything at all that could have been done to prevent this. We will raise the bar on what we require from third parties in terms of ISO and SOC certifications.
We will never stop searching for better and better ways to keep our customers secure. It is our single most important priority.
Our team is providing real-time updates on the Celsius blog and on Twitter, and I will provide another update for the entire community as soon as we have new information.
Once again, thank you for your patience and continued support.
Founder and CEO, Celsius