Betterment Social-Engineering Breach Exposes 1.4 Million Customer Records
Betterment disclosed that a social engineering attack against a third-party platform account used for customer communications enabled unauthorized access to internal systems in early January, leading to the exposure of personal data tied to 1,435,174 accounts. The intruder used the access to send fraudulent crypto-themed promotional messages impersonating Betterment and promising to “triple” cryptocurrency sent to attacker-controlled wallets (including Bitcoin and Ethereum addresses). Betterment said it revoked the unauthorized access the same day it was detected, warned customers to ignore the messages, and initiated a forensic investigation with external incident-response support.
Breach analysis and indexing by Have I Been Pwned indicated the exposed dataset included email addresses, names, and location data, with reporting also citing additional PII such as dates of birth, physical addresses, phone numbers, device information, and employment-related details. Betterment stated there is no evidence that customer investment accounts were accessed or that passwords/authentication tokens were compromised, characterizing the incident as an exposure of contact/identity data rather than account credentials. Separate reporting noted Betterment also experienced intermittent outages attributed to a DDoS attack and extortion attempts around the same period, but this was described as distinct from the social-engineering-driven data exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Betterment reviews alleged leaked data posted by claiming group
By 2026-02-05, Betterment said it was working with an independent data analytics provider to review material allegedly posted online by a group claiming responsibility for the breach. Reporting also noted ShinyHunters claimed responsibility and alleged a much larger leak, though that claim was not confirmed by Betterment.
Have I Been Pwned lists Betterment breach affecting about 1.4 million accounts
On 2026-02-05, Have I Been Pwned added the Betterment incident to its breach database after analyzing a dataset and estimating that 1,435,174 accounts were exposed. Reported data included names, email addresses, location data, and for some users addresses, phone numbers, and dates of birth.
Betterment issues update saying accounts and credentials were not compromised
On 2026-02-03, Betterment said follow-up forensic work found no evidence that customer accounts, passwords, authentication tokens, or other login information were compromised. It said the primary impact was exposure of customer contact and identity information.
Betterment reports outages and extortion claims tied to the incident
During the January 2026 incident, Betterment also experienced intermittent outages attributed to a DDoS attack and said extortion claims were made. The company did not provide further details about the extortion attempt.
Betterment revokes access, warns customers, and starts forensic investigation
The same day it detected the intrusion, Betterment said it revoked the unauthorized access, warned customers to ignore the scam messages, and launched a forensic investigation with external cybersecurity support, including CrowdStrike.
Betterment detects unauthorized access and scam emails are sent
On 2026-01-09, Betterment detected unauthorized access to certain internal systems after attackers used the compromised access to send fraudulent promotional emails to customers. The messages attempted to trick recipients into sending Bitcoin or Ethereum with a false promise that the amount would be tripled.
Attackers socially engineer access to Betterment third-party tools
In early January 2026, threat actors used social engineering against an employee to obtain access to a third-party platform account used for Betterment customer communications and operations. Some reporting later cited claims that voice phishing of Okta single sign-on codes was involved, but Betterment attributed the intrusion to social engineering against third-party tools.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Almost 1.4M users reportedly affected in Betterment breach | SC Media
scworld.com
Open sourceBetterment data breach exposes 1.4 million customers | American Banker
americanbanker.com
Open sourceBetterment breach scope pegged at 1.4M users • The Register
go.theregister.com
Open sourceBetterment Data Breach Exposes 1.4 million Customers Personal Details
cybersecuritynews.com
Open sourceData breach at fintech firm Betterment exposes 1.4 million accounts
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Betterment Data Breach via Compromised Third-Party Marketing Platform Used for Crypto Scam Emails
Betterment confirmed a **data breach** after an attacker used access to a **third-party platform** supporting Betterment’s marketing/operations to send fraudulent crypto “reward” messages to customers. The intrusion occurred on **January 9** via a **social engineering/phishing-style attack** against the third-party service, enabling the threat actor to distribute emails that appeared to originate from Betterment infrastructure and lured recipients with a promise to “triple” cryptocurrency sent to an attacker-controlled wallet. Betterment stated the attacker accessed customer **PII** visible within the compromised system—**names, email addresses, postal addresses, phone numbers, and dates of birth**—but that **customer accounts, passwords, and login credentials were not compromised** and Betterment’s core infrastructure was not impacted. The company reported detecting the activity the same day, revoking the unauthorized access, and engaging an external cybersecurity firm to investigate; affected customers were advised to ignore the scam message (reported as sent from `support@e.betterment.com` with the subject line “We’ll triple your crypto! (Limited Time)”).
Mar 21, 2026
Betterment and CarGurus Data Breach Claims Involving Stolen Customer and Corporate Records
Fintech platform **Betterment** reported a January 2026 social-engineering incident in which an employee was tricked into providing credentials that enabled unauthorized access to internal messaging systems via third-party tools. Betterment said it detected and contained the access the same day, launched an external forensic investigation, and later indicated the incident affected roughly **1.4 million customers**; exposed data included names, email addresses, and location data broadly, with a smaller subset including phone numbers, physical addresses, dates of birth, job titles, and device details. Betterment stated that **no financial accounts, logins, or passwords** were accessed, but warned that the stolen PII was used to send **crypto-scam messages** impersonating Betterment to pressure users into transferring funds. Separately, the extortion group **ShinyHunters** claimed it stole **1.7 million CarGurus corporate records** and threatened to leak the data if the company did not engage by a stated deadline; the criminals alleged the haul included PII and internal corporate data, and CarGurus had not publicly confirmed the claim at the time of reporting. The same reporting tied the CarGurus claim to a broader run of ShinyHunters-related leak-site postings and extortion threats against other organizations, with at least one victim (Canada Goose) indicating that data recently published online may have been **historical** rather than from a new intrusion.
Mar 21, 2026
Social Engineering Breaches Exposed Customer Data at Figure and Allianz Life
Figure and Allianz Life disclosed separate breaches in which attackers used **social engineering** to gain access to systems holding large volumes of customer data. Figure said an employee was deceived into granting access, leading to the public posting of a dataset from January 2026 that contained more than **900,000 unique email addresses** as well as names, phone numbers, physical addresses, and dates of birth. Allianz Life reported that a cyberattack in July 2025 targeted data stored on **Salesforce** and was later followed by the online leak of **1.1 million unique email addresses**. The exposed Allianz Life records also included names, genders, dates of birth, phone numbers, and physical addresses, underscoring how social engineering attacks continue to drive large-scale exposure of sensitive personal information across financial services firms.
Mar 27, 2026