The following report explains the events, findings and follow-up actions related to the security incident detected on January 9, 2026. It outlines what systems were accessed, which customer records were involved, and the technical and organizational steps taken to contain the activity and reduce future risk. Throughout the response, Betterment engaged external experts and law enforcement, applied a layered containment strategy and communicated with customers as facts were verified.
At a high level, an unauthorized individual gained entry to an employee account through social engineering. The person used falsified caller ID and a voice phishing kit to capture credentials and a one-time code, then registered a device to access the single sign-on portal. The actor reached several marketing and operations applications, but our transaction systems were safeguarded by a device trust policy that allows access only from Betterment-managed devices. As a result, customer accounts and transaction systems were not breached, and the investigation confirmed that no customer passwords or login details were compromised.
Table of Contents:
Scope and immediate impact
Before access was cut off, the actor sent a fraudulent crypto offer to roughly 460,000 customers by email and mobile push, and accessed contact details associated with about 1.4 million customers and business contacts. For most of those records the information was limited to name only or name plus email address. Betterment intervened quickly to revoke access, notified recipients to disregard the message, and reimbursed customers who suffered losses connected to the false offer. The actor did not achieve persistence, lateral movement, or privilege escalation, and system integrity was not affected.
Investigation and law enforcement engagement
Upon detection we activated our incident response plan and retained external counsel to coordinate the investigation. Forensic analysis was performed by CrowdStrike, and data access review was provided by the independent analytics firm HaystackID. We reported the event to law enforcement and filed an Internet Crime Complaint Center (IC3) report. Several days after the initial compromise, a criminal group demanded a crypto payment and later published some data to a leak site. We consulted with law enforcement and intelligence specialists and elected not to meet the extortion demands.
Timeline highlights
The sequence below summarizes key timestamps and actions taken during the event:
Initial compromise and containment
On Jan 09, 13:31 EST, social engineering techniques were used to obtain credentials and a required one-time passcode. The actor established a registered device and accessed the Okta single sign-on portal. Between Jan 09, 13:31-18:18 the threat actor accessed certain web applications used for marketing and operations; transaction systems remained shielded by device trust. At Jan 09, 17:46 the fraudulent crypto message was sent to customers. Incident response was declared at Jan 09, 18:03, the compromised marketing account was suspended at Jan 09, 18:05, the Okta account deactivated at Jan 09, 18:09, and activity ceased by Jan 09, 18:18. An initial customer alert was posted at Jan 09, 19:00.
Following the incident, on Jan 12, 10:00 Betterment emailed all customers about the event and launched a dedicated update page. On Jan 13, 9:04 the company experienced a disruptive DDoS attack that caused intermittent outages; mitigation restored partial access by 10:25 EST and full access by 14:40 EST. On Jan 23 some data was posted to a now-removed leak site on a .onion domain.
Controls strengthened and next steps
In response to the incident we accelerated several enhancements to harden defenses. We tightened MFA by deprecating remaining non-hardware authenticators and restricting enrollment of new authenticators; here MFA refers to multi-factor authentication. Security monitoring and alerting were upgraded to shorten detection and response intervals. We reinforced phishing simulation programs and employee security training and deployed advanced Denial of Service (DoS) protections to absorb larger attacks. These measures are part of an ongoing program of improvements rather than a final checklist.
Advice for customers and partners
Betterment accounts have multiple, layered protections and no customer action is required to restore safety. Customers should remain vigilant and ignore unexpected messages asking for credentials—Betterment will never request your password or sensitive personal information by phone or email. Employers and advisors using the Betterment Advisor Solutions platform do not need to take additional steps: the threat actor did not access API keys, payroll integrations, or other system interfaces tied to 401(k) plans. If you suspect fraud, contact [email protected].
We recognize the trust customers place in financial providers and remain committed to transparency. The company continues to review additional technical and organizational steps to reduce future risk and will provide updates through the established customer page as appropriate.
