BETTERMENT LLC disclosed a January 2026 incident in which an attacker used social engineering to access a third‑party platform used for customer communications, then abused it to send crypto‑themed phishing messages and exfiltrate contact and identity data for more than a million people.
According to the US Securities and Exchange Commission (SEC), the leaked files include retirement plan details, financial interests, internal meeting notes and pipeline data, giving cybercriminals real context about a person’s finances and professional life. What’s worse is that ransomware group Shiny Hunters claims that, since Betterment refused to pay their demanded ransom, it is publishing the stolen data.
While Betterment has not revealed the number of affected customers in its online communications, consensus indicates that the data of 1.4 million customers was involved. Malwarebytes analysed a CSV file containing data on 181,487 people, including full names, work and personal email addresses, job titles, phone numbers, addresses, plan details and survey responses.
This level of detail can enable highly targeted phishing and impersonation attempts, potentially worsening the risk when combined with data from other breaches.