TL;DR: ShinyHunters breached Betterment, the robo-advisor managing $65 billion in assets for over a million customers. They vished their way into a third-party vendor, exfiltrated 1.4 million customer records (names, emails, phone numbers, addresses, dates of birth) then used the stolen access to email customers a fake crypto scam pretending to be Betterment. If you have a Betterment account, your personal data is in criminal hands. Your investment accounts weren't compromised, but everything around them was.

What Happened

On January 9, 2026, Betterment customers got an email that looked like it came from the company. It promised to "triple the amount of cryptocurrency" sent to certain Bitcoin and Ethereum wallets. It was a scam, but the email came through Betterment's actual marketing systems.

That's because ShinyHunters hadn't just stolen the data. They'd taken over the tools Betterment uses to talk to its customers.

Betterment disclosed the breach on January 10, admitting an "unauthorized third party" accessed customer data through third-party software platforms used for marketing and operations. By January 12, the company confirmed it was a data breach. By late January, ShinyHunters claimed credit, posting a database on their extortion site that they said contained over 2 million records.

On February 5, Have I Been Pwned confirmed 1.4 million unique email addresses in the breach dataset.

What Got Stolen

Betterment says no investment accounts, passwords, or login credentials were compromised. Here's what was:

  • Names and email addresses (all 1.4 million)
  • Physical mailing addresses (subset of users)
  • Phone numbers (subset of users)
  • Dates of birth (subset of users)
  • Geographic location data
  • Job titles and employer information
  • Device information

Betterment's spin: your money is safe. The reality: someone now has your name, birthday, home address, phone number, and the fact that you use an investment platform managing $65 billion. That's a gift-wrapped spear-phishing target list.

How ShinyHunters Got In

Same playbook, different victim. ShinyHunters told The Register they got in by voice phishing (vishing) Okta single sign-on codes from IT support staff at a third-party vendor.

Here's the attack chain:

  1. Call IT support at the vendor, impersonate an employee
  2. Trick them into resetting credentials or approving MFA requests
  3. Use the compromised Okta SSO access to reach connected platforms
  4. Register a malicious connected app inside the platform
  5. Use that app to bulk-exfiltrate customer data, bypassing network defenses entirely
  6. Then pivot, using marketing tool access to email scam messages directly to customers

Security researchers believe the compromised platform was Salesforce, though neither Betterment nor Salesforce confirmed it. Salesforce acknowledged the incidents "do not stem from a vulnerability" but from social engineering, and recommended enforcing "phishing-resistant multifactor authentication, such as FIDO2, particularly for SaaS admin portals."

Translation: push notifications aren't cutting it. Hardware keys or nothing.

The ShinyHunters Rampage

Betterment isn't an isolated hit. ShinyHunters have been systematically exploiting the same weakness (third-party vendor access via Okta SSO) across dozens of companies. Google Threat Intelligence flagged ShinyHunters targeting Salesforce instances as far back as June 2025.

Their 2025-2026 hit list keeps growing:

  • Harvard and UPenn: 2.2 million alumni records (February 2026)
  • Grubhub: supply chain attack (January 2026)
  • 100+ companies: Okta SSO campaign (2025-2026)
  • TransUnion: via Salesforce (2025)
  • SoundCloud: 29.8 million records
  • Panera Bread: 5.1 million records

The pattern is clear. ShinyHunters don't hack their targets directly. They hack the tools the targets trust. One vendor compromise, one vished Okta code, and they're inside every connected customer's data.

The Crypto Scam Twist

Most breach groups steal data, demand ransom, leak what doesn't sell. ShinyHunters added a step: they used the compromised marketing tools to run a cryptocurrency scam on the victims in real time.

The fraudulent email went out through Betterment's own systems, promising to "triple" any crypto sent to attacker-controlled wallets. Because it came through official channels, it looked legitimate. We don't know how many customers fell for it.

This is the evolution of breach monetization. Why wait for ransom negotiations when you can scam the customers directly using the company's own infrastructure?

What Betterment Customers Should Do

Ignore Any Crypto Offers

Betterment will never ask you to send cryptocurrency anywhere. Any email offering to "triple" or "double" your crypto is a scam. Period.

Watch for Targeted Phishing

Attackers now know your name, email, address, and that you use an investment platform. Expect convincing phishing attempts referencing your Betterment account.

Check Have I Been Pwned

Search your email at haveibeenpwned.com to confirm if you're in this breach. If so, assume all exposed data is compromised.

Enable Hardware MFA

If your Betterment account supports hardware security keys, use them. Push-notification MFA is exactly what ShinyHunters exploits.

Betterment brought in CrowdStrike for forensics and says investment accounts weren't accessed. That's good. But the personal data is out there, and ShinyHunters have already demonstrated they'll use it.

The Bigger Problem

Every fintech app you use connects to third-party vendors for marketing, operations, analytics, and support. Each vendor is an entry point. Each vendor employee with Okta access is one phone call away from handing over the keys.

Betterment didn't get hacked because its security was bad. It got hacked because a vendor's IT support desk got fooled by a phone call. That's the state of enterprise security in 2026: your data is only as safe as the least-trained support rep at your vendor's vendor.

ShinyHunters know this. That's why they keep winning.

References

  1. American Banker - Betterment data breach exposes 1.4 million customers (February 2026)
  2. The Register - Betterment breach scope pegged at 1.4M users (February 5, 2026)
  3. BleepingComputer - Data breach at fintech firm Betterment exposes 1.4 million accounts (February 2026)
  4. TechNadu - 1.4 Million Betterment Email Addresses Exposed (February 2026)
  5. Cybersecurity News - Betterment Data Breach Exposes 1.4 million Customers Personal Details (February 2026)