See all articles

Security Incident Report: January 2026

By Betterment Editors

Published Mar. 30, 2026

Security Incident Report: January 2026 Mar 30, 2026 11:13:32 AM Executive Summary Transparency, trust and the safety of our customers' assets are our highest priorities at Betterment. Consistent with those priorities, we are sharing details following the conclusion of our investigation into the January 9 security incident. What Happened On January 9, 2026, an unauthorized third-party (“threat actor”) gained access to a Betterment employee’s account through social engineering. This access included applications we use for marketing and operations. Customer account and transaction systems were not impacted. In addition to other controls, those systems are protected by device trust policies, which restrict access to Betterment-managed devices only, regardless of whether valid credentials are presented. This additional layer of security protected customer accounts, and transaction systems were never breached. Our investigation confirmed that no customer accounts, passwords, or login information were compromised. The threat actor sent a fraudulent crypto offer to approximately 460,000 customers via email and mobile push notifications. We immediately intervened to revoke access and alerted those customers to disregard the offer. We made those impacted by the offer whole for their losses. Impact and Data Security Before the threat actor’s activity was suspended, they were able to obtain data associated with approximately 1.4 million customers and business contacts. In the vast majority of cases, the data was limited to name only or name in combination with email address. Next Steps We’ve taken this opportunity to reinforce our systems and enhance our security protocols, ensuring our protections remain as resilient as possible. This includes enhancements to our existing multi-factor authentication (“MFA”) login controls and security monitoring. Additional details are outlined in “Control Enhancements” below. Post-Incident Response Investigation Upon detection, we immediately activated our incident response plan and launched an investigation. We engaged external counsel to lead the investigation with the support of CrowdStrike, an experienced forensics firm. The investigation was also supported by HaystackID, an independent data analytics firm, which reviewed data that was accessed to identify potential privacy risks. Response to Extortion Attempt Several days after the initial incident, we received communications from a criminal group who demanded a crypto payment. Additional harassment and threatening messages followed, with conflicting deadlines. We engaged professional advice and consulted with law enforcement, and decided not to engage with the criminal group. On January 23, the criminal group posted data obtained in this incident to a since-removed leak site online. Betterment Communications On January 9, we quickly alerted customers who received the fraudulent crypto offer to disregard it. On January 12, email communications were sent to all customers alerting them to the incident, and we established a customer update page. Since then, we have posted updates to this page as the investigation unfolded. Throughout our investigation, we worked closely with law enforcement, including promptly reporting the incident to various law enforcement agencies and filing an Internet Crime Complaint Center (“IC3”) report. We also shared timely threat intelligence and indicators of compromise (“IOCs”) with the security community. Once our privacy assessment concluded, we sent notifications to a limited subset of customers whose impacted information included a combination of data that could be more sensitive. Control Enhancements Betterment has taken several steps to harden its security posture and mitigate the risk of similar incidents in the future, including: Strengthened existing multi-factor authentication (“MFA”) login controls by sunsetting all remaining non-hardware methods and further restricting enrollment of new authenticators Enhanced our security monitoring and alerting processes to enable faster detection and response to potentially unauthorized activity Reinforced existing phishing simulation and security awareness training Deployed advanced Denial of Service (DoS) protection to handle larger and more-sophisticated attacks While these improvements are important, we are not stopping here. We continue to evaluate and adopt additional enhancements to further strengthen controls and overall security posture. Customer & Partner Guidance Betterment accounts are protected by multiple layers of security; no customer action is required. We do encourage all customers to remain vigilant and to be cautious of unexpected communications. Please remember that Betterment will never call, text, or email you with a request to share your password or other sensitive personal information. No additional actions are required from Betterment at Work 401(k) plan sponsors or third-party advisors that manage client assets through the Betterment Advisor Solutions platform. The threat actor did not have access to API keys, payroll integrations, or other system interfaces. If customers ever suspect unauthorized activity or have any concerns about fraud, our team can be reached at fraud@betterment.com. Conclusion To be clear, this is not the experience we want for our customers and partners. We continue to take steps to add additional layers of security and improve our protections to consistently earn and live up to the trust our customers place in Betterment every day. Appendix: Timeline Jan 09, 13:31 EST Initial Compromise: Social engineering techniques including the use of falsified caller ID (labeled “Betterment IT”) and a voice phishing kit were deployed to obtain credentials and a required multi-factor authentication one-time passcode. The threat actor used the resulting credentials and MFA authentication to establish a new registered device, allowing them to access the Okta Single Sign-on portal from their own computer. Jan 09, 13:31-18:18 Unauthorized Activity: The threat actor accessed several web applications used for marketing and operations; in addition to other controls, transaction systems were protected by device trust policies, which restrict access to Betterment-managed devices only. Before the threat actor’s activity was suspended, they were able to obtain data associated with approximately 1.4 million customers and business contacts. In the vast majority of cases, the data was limited to name only or name in combination with email address. The threat actor was not able to establish persistence, lateral movement, or privilege escalation, and did not impact the integrity of any systems. Jan 09, 17:46 Fraudulent Crypto Promotion / Detection: The threat actor sent a fraudulent, crypto-related message that appeared to come from Betterment to approximately 460,000 customers. Jan 09, 18:03 Incident Response: Betterment personnel declared an incident and began response protocols. Jan 09, 18:05 Containment: The user account within the third-party marketing application was suspended. Jan 09, 18:09 The Okta Universal Directory account used by the threat actor was de-activated, and active sessions canceled. Jan 09, 18:18 Following the threat actor's access to the account being revoked, all activity was suspended. Jan 09, 19:00 Initial communication: Betterment’s first customer communication was emailed and posted to social media, alerting customers about the fraudulent crypto offer. Beginning Jan 09 Professional services: We engaged external legal counsel and, through them, the cybersecurity firm CrowdStrike for forensic investigation, and the independent data analytics firm HaystackID to assess privacy impact. Jan 12, 10:00 Additional Communication: We emailed all customers to make them aware of the security incident, regardless of whether they received the crypto email. We also established a page to provide ongoing updates. Jan 12, 10:39 Demand: Betterment received communications from a criminal group demanding a crypto payment. We engaged with law enforcement and threat intelligence specialists to seek advice regarding the appropriate response strategy. Jan 13, 9:04 Denial of Service: Betterment experienced intermittent outages of our website and mobile app due to a distributed denial-of-service (DDoS) attack. We began mitigation efforts immediately, restoring partial access by 10:25 EST and full access across all services by 14:40 EST. Jan 14 through Jan 16 Targeted Threats: During this period, certain Betterment employees were subject to threatening messages and harassment believed to be related to the ongoing incident. We worked with law enforcement and security partners to assess and respond. No Betterment systems were impacted as a result of these activities. Jan 23 Data publication: Data originating from the incident was temporarily published to a “leak site” on a .onion domain, which has since been removed.

Executive Summary

Transparency, trust and the safety of our customers' assets are our highest priorities at Betterment. Consistent with those priorities, we are sharing details following the conclusion of our investigation into the January 9 security incident.

What Happened
On January 9, 2026, an unauthorized third-party (“threat actor”) gained access to a Betterment employee’s account through social engineering. This access included applications we use for marketing and operations.

Customer account and transaction systems were not impacted. In addition to other controls, those systems are protected by device trust policies, which restrict access to Betterment-managed devices only, regardless of whether valid credentials are presented. This additional layer of security protected customer accounts, and transaction systems were never breached.

Our investigation confirmed that no customer accounts, passwords, or login information were compromised.

The threat actor sent a fraudulent crypto offer to approximately 460,000 customers via email and mobile push notifications. We immediately intervened to revoke access and alerted those customers to disregard the offer. We made those impacted by the offer whole for their losses.

Impact and Data Security
Before the threat actor’s activity was suspended, they were able to obtain data associated with approximately 1.4 million customers and business contacts. In the vast majority of cases, the data was limited to name only or name in combination with email address.

Next Steps
We’ve taken this opportunity to reinforce our systems and enhance our security protocols, ensuring our protections remain as resilient as possible. This includes enhancements to our existing multi-factor authentication (“MFA”) login controls and security monitoring. Additional details are outlined in “Control Enhancements” below.

Post-Incident Response

Investigation
Upon detection, we immediately activated our incident response plan and launched an investigation. We engaged external counsel to lead the investigation with the support of CrowdStrike, an experienced forensics firm. The investigation was also supported by HaystackID, an independent data analytics firm, which reviewed data that was accessed to identify potential privacy risks.

Response to Extortion Attempt
Several days after the initial incident, we received communications from a criminal group who demanded a crypto payment. Additional harassment and threatening messages followed, with conflicting deadlines. We engaged professional advice and consulted with law enforcement, and decided not to engage with the criminal group. On January 23, the criminal group posted data obtained in this incident to a since-removed leak site online.

Betterment Communications
On January 9, we quickly alerted customers who received the fraudulent crypto offer to disregard it.

On January 12, email communications were sent to all customers alerting them to the incident, and we established a customer update page. Since then, we have posted updates to this page as the investigation unfolded.

Throughout our investigation, we worked closely with law enforcement, including promptly reporting the incident to various law enforcement agencies and filing an Internet Crime Complaint Center (“IC3”) report. We also shared timely threat intelligence and indicators of compromise (“IOCs”) with the security community.

Once our privacy assessment concluded, we sent notifications to a limited subset of customers whose impacted information included a combination of data that could be more sensitive.

Control Enhancements
Betterment has taken several steps to harden its security posture and mitigate the risk of similar incidents in the future, including:

Strengthened existing multi-factor authentication (“MFA”) login controls by sunsetting all remaining non-hardware methods and further restricting enrollment of new authenticators
Enhanced our security monitoring and alerting processes to enable faster detection and response to potentially unauthorized activity
Reinforced existing phishing simulation and security awareness training
Deployed advanced Denial of Service (DoS) protection to handle larger and more-sophisticated attacks

While these improvements are important, we are not stopping here. We continue to evaluate and adopt additional enhancements to further strengthen controls and overall security posture.

Customer & Partner Guidance

Betterment accounts are protected by multiple layers of security; no customer action is required.

We do encourage all customers to remain vigilant and to be cautious of unexpected communications. Please remember that Betterment will never call, text, or email you with a request to share your password or other sensitive personal information.

No additional actions are required from Betterment at Work 401(k) plan sponsors or third-party advisors that manage client assets through the Betterment Advisor Solutions platform. The threat actor did not have access to API keys, payroll integrations, or other system interfaces.

If customers ever suspect unauthorized activity or have any concerns about fraud, our team can be reached at fraud@betterment.com.

Conclusion

To be clear, this is not the experience we want for our customers and partners. We continue to take steps to add additional layers of security and improve our protections to consistently earn and live up to the trust our customers place in Betterment every day.

Appendix: Timeline

Jan 09, 13:31 EST	Initial Compromise: Social engineering techniques including the use of falsified caller ID (labeled “Betterment IT”) and a voice phishing kit were deployed to obtain credentials and a required multi-factor authentication one-time passcode. The threat actor used the resulting credentials and MFA authentication to establish a new registered device, allowing them to access the Okta Single Sign-on portal from their own computer.
Jan 09, 13:31-18:18	Unauthorized Activity: The threat actor accessed several web applications used for marketing and operations; in addition to other controls, transaction systems were protected by device trust policies, which restrict access to Betterment-managed devices only. Before the threat actor’s activity was suspended, they were able to obtain data associated with approximately 1.4 million customers and business contacts. In the vast majority of cases, the data was limited to name only or name in combination with email address. The threat actor was not able to establish persistence, lateral movement, or privilege escalation, and did not impact the integrity of any systems.
Jan 09, 17:46	Fraudulent Crypto Promotion / Detection: The threat actor sent a fraudulent, crypto-related message that appeared to come from Betterment to approximately 460,000 customers.
Jan 09, 18:03	Incident Response: Betterment personnel declared an incident and began response protocols.
Jan 09, 18:05	Containment: The user account within the third-party marketing application was suspended.
Jan 09, 18:09	The Okta Universal Directory account used by the threat actor was de-activated, and active sessions canceled.
Jan 09, 18:18	Following the threat actor's access to the account being revoked, all activity was suspended.
Jan 09, 19:00	Initial communication: Betterment’s first customer communication was emailed and posted to social media, alerting customers about the fraudulent crypto offer.
Beginning Jan 09	Professional services: We engaged external legal counsel and, through them, the cybersecurity firm CrowdStrike for forensic investigation, and the independent data analytics firm HaystackID to assess privacy impact.
Jan 12, 10:00	Additional Communication: We emailed all customers to make them aware of the security incident, regardless of whether they received the crypto email. We also established a page to provide ongoing updates.
Jan 12, 10:39	Demand: Betterment received communications from a criminal group demanding a crypto payment. We engaged with law enforcement and threat intelligence specialists to seek advice regarding the appropriate response strategy.
Jan 13, 9:04	Denial of Service: Betterment experienced intermittent outages of our website and mobile app due to a distributed denial-of-service (DDoS) attack. We began mitigation efforts immediately, restoring partial access by 10:25 EST and full access across all services by 14:40 EST.
Jan 14 through Jan 16	Targeted Threats: During this period, certain Betterment employees were subject to threatening messages and harassment believed to be related to the ongoing incident. We worked with law enforcement and security partners to assess and respond. No Betterment systems were impacted as a result of these activities.
Jan 23	Data publication: Data originating from the incident was temporarily published to a “leak site” on a .onion domain, which has since been removed.