Fake dbt Cloud / Hightouch data transformation and reverse ETL subscription payment failed, dbt models and dbt runs suspended, audience syncs disabled, or reverse ETL syncs no longer active phishing

Phishing emails impersonating dbt Labs (dbt Cloud) or Hightouch claiming the data transformation or reverse ETL subscription payment has failed, dbt models are suspended, dbt runs are no longer active, audience syncs are disabled, or reverse ETL syncs have been temporarily suspended — directing them to update billing or restore access through a credential-harvesting portal. A distinct attack category targeting analytics engineering infrastructure: dbt powers the data transformation layer that every downstream BI report and ML model depends on, while Hightouch activates warehouse data back into operational tools; suspension creates a cascade of stale data and broken activations across the entire data stack. Key facts: (1) dbt Labs serves 30,000+ deployments (dbt Cloud at $100-$500+/month for teams, Enterprise custom pricing) with adoption at companies including JetBlue, Hubspot, and Vodafone as the standard analytics engineering framework for data transformation — dbt models are the SQL transformation jobs that take raw operational data from the warehouse and transform it into the clean, business-ready tables that power every dashboard, report, and ML feature; a dbt Cloud subscription suspension disables all scheduled job runs simultaneously; the transformation jobs that run nightly to produce the revenue metrics table, the customer 360 table, and the marketing attribution table all stop executing; every BI dashboard that reads from these tables begins serving stale metrics from the last successful run; (2) The 'dbt runs suspended' hook is acutely urgent for data teams with production data pipelines: enterprise dbt deployments have dozens of scheduled jobs with SLA-backed freshness requirements — the finance team's P&L dashboard requires the daily revenue model run to complete by 7am; a dbt subscription suspension that prevents the overnight run means executives are reviewing yesterday's revenue data during the morning standup; (3) Hightouch serves 500+ enterprise customers ($10,000-$100,000+/year) including Warner Bros., Etsy, and Ramp as the leading reverse ETL platform — Hightouch reads from the data warehouse and syncs audience data back to operational tools like Salesforce (CRM enrichment), HubSpot (marketing lists), Facebook Ads (custom audiences), and Braze (personalization); a Hightouch subscription suspension stops all audience syncs simultaneously — the Salesforce account enrichment that keeps sales reps' contact data fresh stops updating; the Facebook lookalike audience that was refreshing weekly with high-LTV customers freezes; (4) The 'audience syncs disabled' hook creates both operational and revenue impact: marketing campaigns targeting warehouse-defined audiences (e.g., 'all customers who purchased in the last 30 days but have not opened an email') stop receiving updated audience membership; the campaign's audience definition is frozen at the last successful sync, causing targeting drift that wastes ad spend and degrades campaign performance; (5) dbt Cloud and Hightouch credentials expose the complete data transformation architecture: every dbt model revealing the SQL logic and business rules used to define company metrics, the dependency graph showing how raw data flows through transformations to final BI tables, the Hightouch sync configurations showing which CRM and advertising platforms receive which customer segments, and the warehouse access credentials used for transformations and syncs. Warning signs: sender not getdbt.com or hightouch.com; genuine dbt Cloud billing at cloud.getdbt.com/settings/billing; Hightouch billing at app.hightouch.com/settings/billing.