Uphold Scam Uses Fake Data Breach Emails to Steal Accounts

The Uphold scam involves emails that falsely claim a third-party data breach has exposed user information and that immediate action is required to secure an account. The messages present themselves as official security notices, warn that sensitive data may have been compromised, and direct recipients to call a listed “Uphold Security Hotline.” There is no confirmed public data breach that matches the claims made in these emails.

The emails do not link to an official Uphold website, status page, or authenticated account portal. Instead, every call to action pushes the recipient toward phone-based contact, often accompanied by a supposed verification code meant to add legitimacy. This communication pattern does not match how legitimate financial platforms disclose security incidents or handle account protection.

Messages of this type are consistent with phone-based phishing campaigns, also known as vishing. In these scams, attackers impersonate customer support representatives to extract account credentials, intercept authentication codes, or manipulate users into approving unauthorized actions. The fabricated breach narrative is used to create urgency and reduce skepticism before the phone call takes place.

How the Uphold Scam Works

The Uphold scam relies on a fake data breach claim to create urgency and push recipients into a phone-based interaction. Rather than directing users to a website designed to steal credentials, the operation is structured to move victims off email as quickly as possible and into a live conversation, where social engineering is more effective.

The scam begins with an unsolicited email that claims a third-party service provider connected to Uphold has suffered a data breach. The message states that sensitive account information may have been exposed and frames the situation as time-sensitive. Instead of providing a link to an official notice, account dashboard, or status page, the email instructs recipients to call a phone number labeled as an “Uphold Security Hotline.”

Below is an example of one of the emails reviewed during this investigation:

Uphold Security Notice: Please Contact Us

Third-Party Data Breach Affecting Uphold Users

Hi there,

We’re reaching out because a security incident has been identified that may impact your Uphold account. On December 17, 2025, our security team discovered that a third-party service provider experienced a data breach.

The following information may have been exposed:
• Email addresses linked to Uphold accounts
• Names and contact details
• Account backup and recovery preferences
• Transaction and activity logs

We strongly recommend reaching out to our Security Response Team to confirm the status of your account and to take any necessary protective measures.

Next Steps:
1 Contact our Security Response Team using the number below
2 Verify your account status with our security specialist
3 Follow the guidance provided to ensure your account is fully secured

Uphold Security Hotline
+1 (888) 278-1174

Your Security Verification Code
UP-372330

Please have this code ready when speaking with our security team.

The email is intentionally written to sound procedural and reassuring. It uses realistic breach language, lists specific categories of data, and presents a simple sequence of actions. This structure is meant to discourage independent verification and make the phone call feel like a routine security step rather than an unusual request.

A key detail is that every path in the email leads to the same outcome. There are no alternative ways to review the issue, no written disclosure to read, and no option to log in independently. All links and references funnel the recipient toward the phone number. The inclusion of a “security verification code” reinforces the illusion of an internal support process while conditioning the recipient to comply once the call begins.

Once a victim calls the number, the scam shifts from email impersonation to voice-based manipulation. Phone conversations allow attackers to adjust their approach in real time, respond to hesitation, and apply pressure tailored to the individual. The fake data breach serves only as the entry point. The real objective is to establish trust during the call and guide the victim into actions that compromise account security.

How We Know the Uphold Data Breach Email Is Fake

Several technical and procedural indicators show that the email claiming a data breach is not a legitimate security notice. These indicators are consistent with impersonation and vishing campaigns rather than a real incident affecting a financial platform.

Legitimate breach notifications follow established disclosure practices, including written advisories, public statements, and verifiable references that users can independently confirm. The message reviewed here does not meet those standards and instead relies on obscured infrastructure and phone-based contact to avoid scrutiny.

Key indicators that the email is fraudulent include:

• Unrelated sender domains: The emails were sent from addresses associated with long-established cosmetic brand domains, including tarte.com, tartecosmetics.com, and awakebeauty.com. These domains have no connection to Uphold and no role in cryptocurrency security communications.
• Spoofed or abused email infrastructure: Analysis of the domains using our WHOIS lookup tool shows that the websites themselves are legitimate, long-standing commercial properties with no recent breach disclosures. This suggests the sender addresses are being spoofed or abused to bypass spam filters, not that the sites were compromised.
• No public confirmation of a breach: There are no official announcements, blog posts, regulatory filings, or user advisories from Uphold describing a third-party data breach matching the claims made in the email.
• Phone-only verification: Every action in the message directs the recipient to call a phone number. There is no option to review a written disclosure, log in independently, or verify the issue through an official website.
• Use of a verification code: The inclusion of a “security verification code” is meant to simulate an internal support workflow and condition the recipient to comply during the phone call.

Taken together, these elements indicate that the email is designed to create urgency while preventing independent verification. The combination of unrelated sender domains, lack of corroborating breach information, and forced phone-based interaction aligns with impersonation scams rather than a legitimate security incident.

Have Uphold or Tarte Been Breached?

This scam only works if the “breach” story sounds believable. The problem for the scammers is that real breaches, especially ones tied to financial platforms, usually come with details you can verify. Company notices name the vendor or system involved, explain what data was exposed, and tell users how to confirm information safely. Your email does the opposite. It gives a single date, no vendor name, a broad list of scary data types, and then pushes you into a phone call as the only path forward.

Uphold does have a real, documented third-party incident in its history that scammers can exploit for credibility. In July 2022, an email delivery vendor used by Uphold (Customer.io) had an incident where a senior engineer with administrator access provided customer email addresses for multiple Customer.io clients, including Uphold, to a bad actor. Uphold later published a written notice about it in January 2023 and stated that customer funds were not stolen and that accounts remained secure. Uphold also stated that while login credentials were safe, they believed first name, last name, and email address could have been disclosed, which increases the risk of phishing attempts against those users. That is the key point. Even when a platform is not directly hacked, a third-party communications exposure can fuel targeted scams because attackers now have real, matched contact data.

If the email you received were legitimate, it would look more like that Uphold notice. It would be written, specific, and verifiable. It would not route everyone into a “hotline” with a verification code like a bank fraud robocall script.

Now the other piece. Tarte has its own documented history of data exposure, and it is not subtle. In October 2017, reporting and security researchers described a case where Tarte customer information was exposed through publicly accessible databases linked to misconfigured MongoDB instances. Coverage at the time stated that the exposed data included customer names, email addresses, physical addresses, and purchase history, plus the last four digits of payment cards for customers who purchased over a multi-year span (commonly described as 2008 through 2017). Reporting also described that a ransom note was dropped into one of the databases, suggesting criminal actors found the exposure and may have accessed the data before it was secured.

That 2017 exposure matters for today in a very specific way. Old breach data gets recycled. A lot. A dataset that leaked years ago can sit in circulation indefinitely, get copied into larger “combo” lists, get resold on forums, and then show up years later as the targeting base for unrelated scams. The scammer does not need a new breach to run a new campaign. They only need a big list of emails that still deliver.

This is where your observation about the sender domains and forwarding behavior matters. You are not looking at a random throwaway domain registered last week. You are looking at domains that forward into the tartecosmetics.com ecosystem. That does not automatically mean Tarte is breached today. It means the scammers picked an identity anchor that looks legitimate to filters and to humans. They can spoof a From address. They can use lookalike display names. They can rely on the fact that many people will see a recognizable brand domain and assume legitimacy, especially when the content claims “security” and “breach” and uses a phone number instead of a clickable phishing URL.

How do scammers get the email addresses for campaigns like this, if not from a brand-new breach?

• Old breach datasets that keep circulating (a 2017 retail exposure is still useful in 2025).
• “Combo lists” that merge emails and passwords from multiple historical breaches, traded and resold across forums.
• Marketing lists and affiliate lead lists that get leaked, sold, or abused by shady brokers.
• Scraped email collections from web sources, social accounts, and public dumps.
• Dark web and hacker forum marketplaces where lists are packaged by geography, domain type, or industry tags.
• Targeted “enrichment” where an attacker takes a partial list and appends names, phone numbers, and other attributes from data brokers.

So the direct answer is this.

Uphold has a real historical third-party incident involving customer contact data (Customer.io, July 2022, disclosed January 2023). Tarte has a real historical exposure involving customer data through misconfigured databases (reported October 2017). Neither of those facts supports the specific story in your email about a new third-party breach on December 17, 2025 that requires users to call a number to “secure” accounts. What those facts do explain is why a scammer can credibly target people and make the message feel plausible. Old exposures and third-party data incidents give attackers exactly what they need: real emails, real names, and a pretext that sounds familiar.

What Happens When You Call the Phone Number

The emails instruct recipients to call a phone number presented as an Uphold security hotline. In the samples reviewed, all of the links in the message resolved to a phone call rather than a website. While the same number appeared across the emails received in this case, scam operations commonly rotate phone numbers over time. The behavior described here reflects what was observed when calling the number included in these messages, not a guarantee that the same number will always be used.

To understand how the operation worked, the number was called. The call was answered by a prerecorded greeting identifying itself as Uphold customer service, followed by hold music. After a short delay, the call was transferred to a live agent in a call center. The overall setup closely resembled a legitimate customer support line, using automated prompts and queue behavior to create familiarity and reduce suspicion.

What stood out was not who answered the call, but how the interaction was framed. The conversation was immediately positioned as an active security issue tied to a recent breach. The caller was treated as someone who needed to complete verification steps to prevent account impact, rather than being directed to authenticate through an official website or logged-in account.

The verification code included in the email appeared designed to reinforce this workflow. It gives the interaction a sense of formality and allows the agent to present the call as part of an ongoing security case. From there, the caller can be guided toward sharing account-related information or taking actions that compromise account security, depending on how the conversation progresses.

Phone-based scams like this are effective because they allow attackers to control the interaction in real time. Unlike a static phishing page, a live call lets the scammer escalate urgency, adjust their script, or pivot tactics based on the victim’s responses. If a phone number becomes reported or blocked, it can be replaced while the overall structure of the scam remains unchanged.

Legitimate financial platforms do not handle breach notifications this way. They do not send unsolicited emails that force users into calling a phone number, and they do not rely on live agents to resolve security issues without directing users to authenticate through official, verifiable channels. The phone-based workflow observed here aligns with impersonation and account takeover scams, not with real breach response procedures.

The Intent and End Goal of the Scam

The purpose of this scam is not to inform users about a breach. The breach narrative is a pretext designed to justify urgency and authority. The real objective is to place the victim into a controlled interaction where the attacker can influence decisions in real time, either by phone or through follow-up actions prompted during the call.

In many cases, the immediate goal is account takeover. By framing the call as a security response, the scammer can attempt to extract information that weakens account protections. This can include confirmation of the email address tied to the account, guidance through a password reset process, or requests for one-time authentication codes under the guise of verification. Even small pieces of information, when combined, can be enough to initiate recovery workflows or bypass safeguards.

The scam does not have to succeed in a single call. If the victim resists sharing sensitive details, the interaction still has value. The attacker can confirm that the email address is active, learn how the user responds to pressure, and determine whether the account is worth continued targeting. In some cases, the call is used to set up a second stage, such as sending follow-up emails, directing the victim to install software, or instructing them to take actions later under the claim that an investigation is ongoing.

Another common outcome is credential harvesting through misdirection. Rather than asking directly for a password, the scammer may guide the victim into performing actions themselves while the attacker observes or attempts to intercept codes and notifications. This approach reduces suspicion because the victim believes they are acting within a legitimate support process rather than handing over credentials outright.

There is also a financial angle in some variations of this scam. Victims may be warned about pending account restrictions, frozen assets, or suspicious transactions that require immediate resolution. That pressure can be used to push users into authorizing transfers, approving changes, or moving funds under the belief that they are securing their account. The exact tactic can vary depending on the victim’s responses and the scammer’s script.

The flexibility of this approach is what makes it effective. A phone-based interaction allows the attacker to adapt, escalate, or de-escalate as needed. If one tactic fails, another can be attempted without changing the underlying story. This is fundamentally different from simple phishing emails and aligns more closely with coordinated vishing and account takeover operations.

Ultimately, the scam is built around control. The breach claim creates fear, the phone call establishes authority, and the conversation is used to steer the victim toward actions that benefit the attacker. The absence of written verification, official channels, or independent confirmation is not an oversight. It is a feature of the scam.

What to Do If You Receive One of These Emails

If you receive an email claiming to be from Uphold that references a data breach and urges you to call a phone number, do not engage with it immediately. Messages like this are designed to create urgency and push you into reacting before you have time to verify anything. Slowing the process down is one of the most effective ways to neutralize the scam.

The safest response is to treat the email as untrusted until proven otherwise. Legitimate security notifications do not rely on fear-based language, do not force users into phone calls, and do not hide verification behind vague breach claims. If an email provides no written confirmation and no verifiable reference, that absence matters.

If you are unsure how to proceed, follow these steps:

• Do not reply to the email or call any phone number listed in the message.
• Do not click links or buttons, even if they claim to lead to a help center or security page.
• Open a new browser window and manually type Uphold’s official website address to check your account.
• Review any alerts or messages inside your authenticated account dashboard.
• Contact Uphold only using contact details published on their official website.
• Report the email as phishing or impersonation to your email provider.
• If possible, submit the message and its full headers to Uphold so they can investigate.

If no warning appears inside your account after logging in through the official site, that is a strong indication that the email is not legitimate. Real breach notifications are documented and visible without requiring users to chase them through external communication.

The key point is control. Scams like this work by rushing the recipient and narrowing their options. By refusing to act through the email itself and choosing your own verification path, you remove that control and protect your account.

What to Do If You Already Engaged With the Scam

If you called the number, spoke with an agent, or shared any information as a result of these emails, act quickly. Even limited interaction can increase risk, especially if account details or authentication steps were discussed. The goal at this stage is to regain control, reduce exposure, and document what happened.

If you believe you may have been affected, take the following steps as soon as possible:

• Immediately log in to your Uphold account by typing the official website address directly into your browser.
• Change your account password and ensure it is unique and not reused anywhere else.
• Review recent login activity, security alerts, and transaction history for anything unfamiliar.
• Reset or rotate any two-factor authentication methods associated with the account.
• Contact Uphold through official support channels listed on their website and inform them that you may have interacted with an impersonation scam.
• If you shared one-time passcodes, recovery information, or approved any actions during the call, make that clear to support.
• Monitor your email account for password reset attempts, security alerts, or follow-up messages tied to the scam.

If personal information was shared, additional precautions may be necessary. That can include securing the email account tied to your Uphold profile, reviewing activity on other services that use the same email address, and being alert for follow-up scams that reference the original interaction.

If you believe financial loss has occurred or that your account was compromised, document everything you can remember about the interaction, including dates, phone numbers used, and any instructions you were given. This information can help support teams investigate and may be needed if you file reports with consumer protection agencies or financial institutions.

Scam campaigns like this often continue after initial contact. Being proactive, tightening security, and shifting all communication back to official channels reduces the likelihood of further damage.