Uphold leaking data?

I checked my SPAM folder and noticed multiple mails sent to my uphold mail address. It’s a unique address I just used on uphold website.

image

So how come I get spam mails on an address which is uniquely used and generated just for Uphold?
I don’t know but I am happy that I removed all my funds from Uphold.
I avoid any communication with Uphold as I am sure I will just get the standard responses from an brainless support agent or bot.

Emails not necessarily spam as well sometimes end up in spam folder. Sometimes people following up on Brave support tickets also end up with replies in spam folder.
It could be that your Uphold account required a Re KYC / AML.

@anoraknophobia Just so you know, I’m attacking this from two sides. The first is just a bit of a lecture to Users in general. It’s because people tend to skip this stuff when they need to pay very close attention. So here’s the User lecture first:


Lecture:
It’s usually important for you and others to always read Terms. I’m guessing you skipped over it? For example, under their Terms they have a portion called:

How do we use your Personal Data, and on what legal basis do we collect and process your Personal Data?

If you go down, you’ll see:

  • Behavioral Advertising and Analytics (including attribution statistics)*: For those who choose to consent (opt-in) to our targeted advertising cookies, this process includes combining different account, transactional, marketing, and cross-device tracking. When we apply these techniques we may use your Personal Information to provide you with targeted advertisements, banners, or marketing communications we believe may be of interest to you. We may also use information from your mobile device, such as: browser type, device type and model, IDFA Identifiers, CPU, system language, memory, OS version, Wi-Fi status, time stamp and zone, device motion parameters and carrier for advanced attribution, acquisition, and analytical purposes including personalized or lookalike advertising. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page here.

*If you have chosen to consent to our targeted advertising cookies but would like to change your mind and opt-out, you can do so by using the links below:

Additionally, you can opt-out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/. Or by visiting any of the links below: http://optout.networkadvertising.org/or http://youronlinechoices.eu/.

In other words, if you just hurriedly accepted things when you created your Uphold account, you likely approved Uphold to share data with all of those advertisers.

You may also want to read their cookie policy in-depth, which can be seen at https://uphold.com/legal/cookie-policy

Also, there’s:

How do we use your Personal Data to inform you and market to you?

In compliance with applicable laws, we may send you personalized marketing information, including by email, and such information may include product and service updates, industry news, our events, activities and offers, information about our business and personnel, and tips. We may combine your Personal Data such as age, transaction history, account usage to improve the value and specificity of these communications.

You can ask us to stop sending you marketing messages or information at any time by following the “unsubscribe” link on any marketing message sent to you or by updating your contact preferences directly on the Uphold Platform. Please note, it may take up to 10 days for this to take effect. Where you opt-out of receiving these marketing messages or publications, this will not apply to Personal Data collected by or provided to us in connection with a specific purpose, request, order, event or activity or any dealings with you, and you may still receive emails from us relating to the operation of the Uphold service, like transaction confirmations.

Of course, the most interesting part is about selling or sharing your information.

  • How do we share your Personal Data?

We sometimes share your information internally between employees and contractors of the Uphold Group (including those based outside the European Economic Area (“EEA”)), in particular in connection with activities undertaken jointly or in common with such group members and/or provide IT and system administration services and undertake management reporting.

We may disclose your personal data to our partner and affiliate Optimus Cards UK Limited (FRN: 902034) (“Optimus”), which provides e-money services in the UK. Optimus will hold your information on their own account, and process it in accordance with their own privacy policy, which may be updated from time to time. You can read Optimus’ privacy policy here.

We do not sell, trade or otherwise transfer your Personal Data to third parties other than third parties who assist us in operating our Service, third parties who assist us in facilitating certain programs and other business arrangements for which you have expressly agreed to participate, management and reporting, maintaining compliance with relevant laws (including compliance with relevant anti-corruption, anti‐bribery, anti‐terrorism, and anti‐money laundering laws), conducting our business or supporting our users, or providing you with applications or services integrated via our API. We require that those third parties agree to keep this information confidential and secure on the same conditions and protection levels we provide to you as a user, in accordance with relevant privacy laws, including the GDPR. A complete list of our sub-processors can be viewed here

We may also release your information to certified and authorized law enforcement officials when we believe release is appropriate to comply with the law, enforce our terms or policies, or protect the rights, property, or safety of Uphold, our users, or others. We have a set of guidelines for how we engage with law enforcement officials that are available to the public here.

Finally, in the event of the sale or transfer of ownership, your data would be shared with the new owners.

What’s intriguing about it the most is you’ll often hear:

We do not sell, trade or otherwise transfer your Personal Data

But what you don’t often hear is what follows that:

other than third parties who assist us in operating our Service, third parties who assist us in facilitating certain programs and other business arrangements for which you have expressly agreed to participate

So they do sell or share data. It’s just to specific people, which you can see many of at https://uphold.com/legal/uphold-subprocessor-list in terms of who and why.

And yes, leaks have happened, such as https://apps.web.maine.gov/online/aeviewer/ME/40/d88e1395-b0d8-4d35-b07c-439b80ae8f07.shtml where last year approximately 150 people were affected.

1 Like

On the other side, which is against Uphold, I wrote in an email to their Privacy team. That email is stated as following:

I’ve recently come across posts from people who have stated they created emails to be used only with Uphold. They did not provide those email addresses to anyone else. Shortly after creating an account with Uphold, they started to receive emails for Exodus Wallet, MetaMask, and other places. All of which seem to be scams that say things like “Assets failed to merge” and “Your tokens have failed to update.”

While reading through your Privacy & Data Privacy, it seems you do share data with 3rd parties, such as Adroll, Facebook, Google, and others. I am hoping to be clear to determine whether this means you’re sharing email addresses to these parties? If not, then to ask whether there could be a leak in information?

For you to see, posts I’ve found of people complaining on this situation can be seen at the two links below:

Uphold leaking data?

https://www.reddit.com/r/uphold/comments/z9i64y/data_leakage_or_selling_user_data/

I do know your policy does say you don’t sell data EXCEPT to “third parties other than third parties who assist us in operating our Service, third parties who assist us in facilitating certain programs and other business arrangements for which you have expressly agreed to participate…” So it is clear that data gets shared. And while you say they agree to keep it confidential, I wonder to which ends that goes? Sharing to ad places such as Adsense, Google, and others really does open the door of them sharing or misusing data.

Ideally, I’m just hoping you can address this more clearly. Also, might be good to even have an official response in places like the Uphold Reddit I linked above, where people asked about the leakage or selling of data.

So I am hoping to get them to address it as well.

1 Like

These are the sources of the mails.
Cannot find them on the list and all 3 contain phishing links to get private keys.
So highly doubt it is intended from Uphold.

image
image
image

I’ve been getting these too and marking them all as spam.

Still waiting for Gemini to come back in Europe.
P.S Uphold s…k.

I am really surprised that Uphold is still operating in the EU zone. This is a clear violation of European regulations.
I know Uphold has been banned in some European countries. Unfortunately not yet from all of them, although EU regulations apply to all 26 EU countries.

Brave (@Brave) it is the time to bring those alternatives you have been speaking about.

1 Like

Gemini is bankrupted. I advise you to follow the news :slight_smile:

Agreed, those aren’t specifically listed. What I am saying though is Adroll, Facebook, Google, and other places that are listed could be using the data. Unfortunately, we know Google and Facebook will sell any and all data to make a profit. We also never know if any of those places have any leaks.

1 Like

Btw, my reply received from Uphold on the email I sent just was:

Thank you for your email. In order to assist you, could you be a bit more specific on the question that you are seeking a response to?

Kind regards,

Uphold Data Privacy Team
uphold.com

I mean, I was pretty clear in details and you’d figure they would have come back with something like “we’ll investigate” or “thanks for bringing this to our attention.” But oh no, it was just an avoidance and asking me to narrow down to a question.

Thus, my reply to them:

Well, I was hoping you’d take the time to check out the links I provided where you’d see the details of people complaining about getting scam emails after signing up with Uphold. The one said it was a brand new email and Uphold was the only one they provided the address to. And plenty others are saying “me too” on getting these scam emails ONLY after signing up with Uphold.

If I have to spell out specific questions, I guess I’ll make a few.

  1. Were you aware of these complaints of scam emails being sent ONLY after people provide their emails to Uphold?
  2. With many reports coming out of scam emails being sent after providing email to Uphold, can you be certain there are no current data leaks?
  3. Will you being doing anything to investigate and prevent these scam emails from occurring. If it’s not from you directly selling or providing the info, such as you do to Adroll, Facebook, Google, and others, then this information has to be picked up from someone.

The emails being received aren’t from legitimate addresses tied to any of your partners. Attached are screenshots of some examples of the emails and addresses which have sent emails to people after they created an Uphold account.

1 Like

Genesis went bankrupt, not Gemini (at least not yet). Gemini did just lay off another 10% of their staff, but no news of them going bankrupt of defunct.


Btw, the latest updates from Uphold Data Privacy Team

Next update(s) from Uphold emails with the Uphold Data Privacy Team:

2 Likes

Wow. So the 3rd party notified about the breach back on Jul 7, 2022 and Uphold did it 6 months later? Did they hope they could get through this without any communication?
They could have send a mail to all users what happened way earlier.

Thanks @Saoiray for digging deeper into the rabbit hole.

1 Like

Haha, thanks! @Saoiray

I feel screwed.
Why are customers not contacted about this by e-mail? What is the point of that? Unprofessional!
The leak was apparently in July 2022. The first phishing mails were in November 2022. Many users have contacted Uphold. No response.

Apparently there were enough complaints now. After all, this “only” took a few months. Sorry, what a Sh*tshow.

2 Likes

Thanks for investigating @Saoiray - interesting that we’re only learning of this now.

If you click into the July 2022 message…

"… After further investigating the compromised OpenSea email addresses incident, we have learned today that the email addresses from five other customers were also provided to the same external bad actor.

First of all, I don’t have an OpenSea email address, just the one associated with Uphold. Secondly, the July 22 note is clearly not the first update, yet they conveniently omitted to include a link to the original update. :face_with_raised_eyebrow:

The plot thickens!

2 Likes

What gets me is there’s been more breaches as well. Such as I found this:

It’s their template of what had to be sent out. It was remaining on Massachusetts website at https://www.mass.gov/doc/assigned-data-breach-number-28048-apto-payments-inc/download#:~:text=On%20June%2011%2C%202022%2C%20a,further%20access%20to%20your%20information. There’s also a report at https://apps.web.maine.gov/online/aeviewer/ME/40/d88e1395-b0d8-4d35-b07c-439b80ae8f07.shtml

It’s kind of hard to seek history on it because “uphold” gets flooded out by tons of things like “judge upholds” in relation to other companies.

So means were possibly two data breaches back to back in June/July of 2022. Either that, or they are lying on the timeframe on one of those, lol.

2 Likes