Replace September 05, 13:21 EDT: Added a press release from Wealthsimple confirming that this assault wasn’t a part of an ongoing Salesforce information theft marketing campaign.
Wealthsimple, a number one Canadian on-line funding administration service, has disclosed an information breach after attackers stole the private information of an undisclosed variety of clients in a current incident.
Based in 2014 and headquartered in Toronto, the monetary providers agency holds over CAD$84.5 billion in belongings (roughly $61 billion). It affords a variety of economic merchandise focusing on investments, buying and selling, cryptocurrency, tax submitting, spending, and financial savings to over 3 million Canadians.
Wealthsimple’s Android app has over 1 million downloads on the Google Play Retailer, whereas its iOS app has collected over 126,000 scores from Apple customers.
As shared in an official assertion and breach notifications emailed to clients (seen by BleepingComputer), the corporate detected the breach on August thirtieth.
Wealthsimple acknowledged that the attackers didn’t steal any funds and didn’t compromise passwords, guaranteeing that each one buyer accounts stay safe.
“We realized {that a} particular software program package deal that was written by a trusted third social gathering had been compromised. This resulted in private information belonging to lower than 1% of our purchasers being accessed with out authorization for a quick interval,” Wealthsimple stated.
“Information that was accessed was private data like contact particulars, authorities IDs supplied throughout the Wealthsimple sign-up course of, monetary particulars, comparable to account numbers, IP tackle, Social Insurance coverage Quantity, or date of start.”
Since detecting the incident, the monetary providers firm has notified impacted clients by way of electronic mail, and it’s now offering them with two years of complimentary credit score monitoring, in addition to dark-web monitoring, identification theft safety, and insurance coverage.
Affected clients are suggested to safe their accounts utilizing two-factor authentication (2FA) with an authenticator app, by no means reuse passwords, and stay vigilant in opposition to potential phishing makes an attempt impersonating Whealthsimple.
Whereas the corporate did not present any data on how the attackers gained entry to the shoppers’ private data, the small print shared within the assertion and information breach notifications appeared to recommend that the corporate might have been one of many victims in a current wave of Salesforce information breaches linked to the ShinyHunters extortion group.
After we reached out to Wealthsimple with questions in regards to the incident and to substantiate how the attackers stole its clients’ information, a spokesperson informed BleepingComputer that the “incident shouldn’t be associated to Salesforce.”
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration developments.
