DO NOT REDEEM: Betterment Customers Get 2017 Crypto Scam Via Company's Own Email System

Word of advice: Do not redeem… 

So it appears Betterment just F’d around and Found Out, as it gave people with a little too much confidence a little too much inbox access. According to Betterment, an unauthorized actor slid into its systems and blasted customers with a crypto scam that basically read: “Your data has been compromised. Please reply with your full seed phrase to recover your wallet.” Sounds legit. 

(Source: Giphy) 

Now before anyone panics, Betterment says this wasn’t some elite zero-day exploit or hoodie-wearing mastermind brute-forcing servers in Russia. Instead, this was a good old-fashioned social engineering. Translation: someone got tricked, clicked the wrong thing, or trusted the wrong “vendor.” According to the reports, no passwords were stolen, nor no accounts drained. Just names, emails, phone numbers, addresses, and dates of birth… a.k.a., all the things that still get Nigerian princes’ all horned up. Whereas, with that access, the attacker sent customers a message so old it smells like 2017: promising to triple their crypto if they sent $10,000 to a wallet controlled by… the attacker.

(Source: TechCrunch) 

Of course, Betterment says they detected it the same day, shut it down, launched an investigation, hired a cybersecurity firm, and told customers to ignore the message. All the right boxes checked. Gold star. But what they didn’t say is how many customers were affected. Also interesting. But, but, but… here’s where it gets spicy: Betterment quietly published a security incident page about the breach… and then slapped a “noindex” tag on it. For the non-nerds, that tells Google, “Hey man, nothing to see here. Please don’t show this to anyone.” Which is a choice. Translation: Nothing screams confidence like hiding the receipt.

To be clear though, this wasn’t a crypto platform failure. This was a fintech marketing stack problem that includes third-party tools and external platforms. In other words, the same Frankenstein software pile every startup uses to blast emails, track users, and juice engagement metrics. Turns out if someone gets the keys to that, they don’t need your passwords. They just need your trust. And that’s the scary part. 

(Source: Imgflip) 

For instance, Betterment’s whole brand is built on “trust me bro”, set it and forget it, and long-term rational investing logic. Then one day your inbox lights up with a message asking for your seed phrase like it’s a Costco receipt. If you’re a customer, you probably didn’t lose money. If you’re a fintech exec, you just felt a chill down your spine. Moral of the story: you can have airtight infrastructure and still get cooked by an email. Sucks to suck, Betterment. And yet, this is reason #4,987,385 why I don’t mess with crypto. Until next time, friends… 

At the time of publishing, Stocks.News holds positions in Google as mentioned in the article.