Cyber Incident Victim: Betterment
Date:
Jan 2026
Location:
United States of America
Summary
Betterment experienced a cybersecurity incident where threat actors used social engineering to compromise third-party marketing and operational platforms, enabling unauthorized access to customer data including names, addresses, email addresses, phone numbers, and dates of birth. The attackers leveraged this access to send fraudulent cryptocurrency-related scam messages impersonating the company, though no customer accounts, passwords, or financial credentials were breached. The intrusion was contained promptly, with unauthorized access revoked and an investigation initiated alongside cybersecurity experts. The incident is linked to the ShinyHunters group, which also targeted Crunchbase and SoundCloud through similar methods involving Okta SSO vishing campaigns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 9, 2026, automated investment platform Betterment suffered a cybersecurity incident after threat actors breached its systems through social engineering targeting third-party software platforms used for marketing and operations. The attackers exploited this unauthorized access to send fraudulent cryptocurrency-related messages directly to an undisclosed number of Betterment customers, impersonating the company to solicit funds. These messages promised to triple deposits sent to attacker-controlled Bitcoin and Ethereum wallets, specifically instructing recipients to transfer $10,000. Betterment detected the breach on the same day and immediately revoked the threat actor’s access while launching a comprehensive investigation with assistance from an unnamed cybersecurity firm. Initial statements confirmed no compromise of customer accounts, passwords, or login credentials, with the company directly notifying affected users to disregard the scam communications.
Subsequent investigation revealed that the attackers potentially accessed personally identifiable information including customer names, email addresses, postal addresses, phone numbers, and dates of birth, though Betterment did not disclose the exact number of impacted individuals. The ShinyHunters cybercrime group later claimed responsibility for the breach alongside attacks on Crunchbase and SoundCloud, alleging theft of several gigabytes of files containing tens of millions of records from Betterment. While the company maintained that its core infrastructure remained uncompromised and business operations undisrupted, it confirmed contacting federal law enforcement and advised heightened vigilance against unexpected communications. Betterment published a breach notification webpage but implemented a 'noindex' tag to exclude it from search engine results, limiting public visibility of the incident details. The attackers’ methodology aligned with a broader vishing campaign linked to ShinyHunters, as described in Okta’s private customer warnings regarding voice-based social engineering tactics.