Betterment has disclosed that a recent security incident allowed unauthorised parties to access limited customer data and distribute a fraudulent message to users.
The automated investment platform confirmed that the breach occurred on 9 January 2026 and involved systems connected to third-party tools used for marketing and operational purposes.
According to information shared by Betterment, the intrusion was carried out through a social engineering technique rather than a direct compromise of its core infrastructure. As a result, attackers were able to obtain certain personal details, including customer names, email addresses, postal addresses, phone numbers and dates of birth. The company stated that login credentials and account passwords were not affected.
Fraudulent crypto message sent using compromised access
Using the access gained during the incident, the attackers sent messages to users promoting a fake cryptocurrency scheme. The notification falsely suggested that users could significantly increase the value of their crypto holdings by transferring funds to a wallet controlled by the attackers. Reports of the message circulating among customers were first highlighted by external media.
Betterment said it identified the unauthorised activity on the same day it occurred and moved to block further access. Representatives from Betterment indicated that an internal review was launched immediately, with support from an external cybersecurity specialist, and that the investigation remains ongoing. Impacted customers were contacted directly and advised to ignore the fraudulent communication.
The company has not disclosed how many customers were targeted or how many individuals had their information accessed during the incident. A notice outlining the breach was later published on Betterment’s website, although it contained limited detail regarding scale and exposure.
Betterment officials highlighted that customer investment accounts were not accessed and that there is no evidence of unauthorised transactions linked to the breach. Requests for additional clarification on the incident had not been answered at the time of reporting.
Separately, it was observed that the webpage detailing the incident included technical instructions preventing search engines from indexing it, reducing its visibility to the wider public.
