Financial services firm Wealthsimple discloses data breach

Wealthsimple, a leading Canadian online investment management service, has disclosed a data breach after attackers stole the personal data of an undisclosed number of customers in a recent incident.

Founded in 2014 and headquartered in Toronto, the financial services firm holds over CAD$84.5 billion in assets (approximately $61 billion). It offers a wide range of financial products targeting investments, trading, cryptocurrency, tax filing, spending, and savings to over 3 million Canadians.

Wealthsimple’s Android app has over 1 million downloads on the Google Play Store, while its iOS app has collected over 126,000 ratings from Apple users.

As shared in an official statement and breach notifications emailed to customers (seen by BleepingComputer), the company detected the breach on August 30th.

Wealthsimple stated that the attackers did not steal any funds and did not compromise passwords, ensuring that all customer accounts remain secure.

“We learned that a specific software package that was written by a trusted third party had been compromised. This resulted in personal data belonging to less than 1% of our clients being accessed without authorization for a brief period,” Wealthsimple said.

“Data that was accessed was personal information like contact details, government IDs provided during the Wealthsimple sign-up process, financial details, such as account numbers, IP address, Social Insurance Number, or date of birth.”

Since detecting the incident, the financial services company has notified impacted customers via email, and it is now providing them with two years of complimentary credit monitoring, as well as dark-web monitoring, identity theft protection, and insurance.

Affected customers are advised to secure their accounts using two-factor authentication (2FA) with an authenticator app, never reuse passwords, and remain vigilant against potential phishing attempts impersonating Whealthsimple.

Breach likely part of Salesloft supply-chain attack

While the company didn’t provide any information on how the attackers gained access to the customers’ personal information, the details shared in the statement and data breach notifications suggest that the company may have been one of the victims in a recent wave of Salesforce data breaches linked to the ShinyHunters extortion group.

We have reached out to Wealthsimple with questions about the incident and to confirm how the attackers stole its customers’ data, but a response was not immediately available. However, BleepingComputer has found a Salesloft instance on a Wealthsimple subdomain that appears to be currently inactive. Earlier today, ShinyHunters confirmed to BleepingComputer that the Wealthsimple breach was also part of the Salesloft supply-chain attack.

Since the start of the year, ShinyHunters has targeted Salesforce customers in data theft attacks using voice phishing, which led to data breaches impacting high-profile companies like Google, Cisco, Allianz Life, Qantas, Adidas, Farmers Insurance, Workday, and LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.

More recently, the cybercrime gang shifted to using stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce to compromise Salesforce instances and steal sensitive information, such as passwords, Snowflake tokens, and AWS access keys, from support tickets and support messages from its victims’ customers.

Using this tactic, ShinyHunters has also gained access to a small number of Google Workspace accounts and breached the Salesforce instances of multiple cybersecurity companies, including Cloudflare, Palo Alto Networks, Zscaler, Tenable, Proofpoint, CyberArk, BeyondTrust, JFrog, Cato Networks, and Rubrik.