Wealthsimple Confirms Data Breach, Cites Third-Party Vulnerability
At the end of August, Canadian fintech company Wealthsimple reported a security incident that affected a small fraction of its clientele. According to the firm, on August 30 it detected the compromise of a third-party software package on which its systems depended. This led to a brief episode of unauthorized access to the personal information of fewer than 1% of users. Funds and passwords remained secure throughout, and all accounts retained full control under their rightful owners.
Founded in 2014 and headquartered in Toronto, Wealthsimple manages over 84.5 billion CAD in assets (approximately 61 billion USD) and serves more than three million clients across Canada. Its services span investments, trading, cryptocurrency, tax tools, and products for everyday spending and savings. The Wealthsimple app has been downloaded more than one million times on Android, while its iOS version boasts over 126,000 user reviews.
The breach was contained within hours of discovery. External experts were brought in to assist with the investigation, and regulatory authorities overseeing data protection and financial compliance were promptly notified. At the same time, Wealthsimple began notifying affected clients, with the mass notification campaign completed by September 5 at 10:30 a.m. ET. Customers who did not receive a notice were not impacted.
Among the compromised data were contact details, identity documents submitted at registration, account numbers, IP addresses, dates of birth, and Social Insurance Numbers. Crucially, financial information—such as account balances or transaction records—was not exposed.
To mitigate the impact, Wealthsimple offered all affected clients a two-year protection package, including credit monitoring, dark web surveillance, identity theft insurance, and access to a dedicated support team. A separate unit was assigned to handle communications with those whose information had been compromised.
Some analysts speculated about links to the recent Salesforce breaches attributed to ShinyHunters, but Wealthsimple firmly denied any connection, stressing that this incident was unrelated.
The company also urged clients to bolster their own security practices: enabling two-factor authentication (2FA) via authenticator apps, avoiding password reuse across services, and remaining vigilant against phishing emails or calls. Wealthsimple emphasized that it never requests passwords, verification codes, or money transfers from clients.
According to company representatives, customer trust remains paramount. For this reason, Wealthsimple disclosed the incident immediately after completing its initial review and implemented enhanced security measures without delay.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
