Executive Summary
Transparency, trust and the safety of our customers’ assets are our highest priorities at Betterment. Consistent with those priorities, we are sharing details following the conclusion of our investigation into the January 9 security incident.
What Happened
On January 9, 2026, an unauthorized third-party (“threat actor”) gained access to a Betterment employee’s account through social engineering. This access included applications we use for marketing and operations.
Customer account and transaction systems were not impacted. In addition to other controls, those systems are protected by device trust policies, which restrict access to Betterment-managed devices only, regardless of whether valid credentials are presented. This additional layer of security protected customer accounts, and transaction systems were never breached.
Our investigation confirmed that no customer accounts, passwords, or login information were compromised.
The threat actor sent a fraudulent crypto offer to approximately 460,000 customers via email and mobile push notifications. We immediately intervened to revoke access and alerted those customers to disregard the offer. We made those impacted by the offer whole for their losses.
Impact and Data Security
Before the threat actor’s activity was suspended, they were able to obtain data associated with approximately 1.4 million customers and business contacts. In the vast majority of cases, the data was limited to name only or name in combination with email address.
Next Steps
We’ve taken this opportunity to reinforce our systems and enhance our security protocols, ensuring our protections remain as resilient as possible. This includes enhancements to our existing multi-factor authentication (“MFA”) login controls and security monitoring. Additional details are outlined in “Control Enhancements” below.
Post-Incident Response
Investigation
Upon detection, we immediately activated our incident response plan and launched an investigation. We engaged external counsel to lead the investigation with the support of CrowdStrike, an experienced forensics firm. The investigation was also supported by HaystackID, an independent data analytics firm, which reviewed data that was accessed to identify potential privacy risks.
Response to Extortion Attempt
Several days after the initial incident, we received communications from a criminal group who demanded a crypto payment. Additional harassment and threatening messages followed, with conflicting deadlines. We engaged professional advice and consulted with law enforcement, and decided not to engage with the criminal group. On January 23, the criminal group posted data obtained in this incident to a since-removed leak site online.
Betterment Communications
On January 9, we quickly alerted customers who received the fraudulent crypto offer to disregard it.
On January 12, email communications were sent to all customers alerting them to the incident, and we established a customer update page. Since then, we have posted updates to this page as the investigation unfolded.
Throughout our investigation, we worked closely with law enforcement, including promptly reporting the incident to various law enforcement agencies and filing an Internet Crime Complaint Center (“IC3”) report. We also shared timely threat intelligence and indicators of compromise (“IOCs”) with the security community.
Once our privacy assessment concluded, we sent notifications to a limited subset of customers whose impacted information included a combination of data that could be more sensitive.
Control Enhancements
Betterment has taken several steps to harden its security posture and mitigate the risk of similar incidents in the future, including:
While these improvements are important, we are not stopping here. We continue to evaluate and adopt additional enhancements to further strengthen controls and overall security posture.
Betterment accounts are protected by multiple layers of security; no customer action is required.
We do encourage all customers to remain vigilant and to be cautious of unexpected communications. Please remember that Betterment will never call, text, or email you with a request to share your password or other sensitive personal information.
No additional actions are required from Betterment at Work 401(k) plan sponsors or third-party advisors that manage client assets through the Betterment Advisor Solutions platform. The threat actor did not have access to API keys, payroll integrations, or other system interfaces.
If customers ever suspect unauthorized activity or have any concerns about fraud, our team can be reached at fraud@betterment.com.
To be clear, this is not the experience we want for our customers and partners. We continue to take steps to add additional layers of security and improve our protections to consistently earn and live up to the trust our customers place in Betterment every day.