MetaMask Users Email Addresses Exposed in Cybersecurity Incident
MetaMask, the popular Ethereum wallet, experienced a cybersecurity incident that exposed the email addresses of some of its users who submitted a customer support ticket between August 1, 2021 and February 10, 2023. The breach may have affected up to 7,000 users and some of the customer support tickets included a free text field where users may have submitted personally identifying information. The company has taken steps to eliminate unauthorized access in the future and is working with a cybersecurity and forensics team to investigate the incident.
MetaMask, the popular Ethereum wallet, recently experienced a cybersecurity incident that exposed the email addresses of some of its users who submitted a customer support ticket between August 1, 2021, and February 10, 2023. Parent company ConsenSys released a blog post on April 14, 2023, which disclosed the details of the incident.
According to the post, unauthorized actors gained access to a third-party computer system that was used to process customer service requests. This allowed them to potentially view customer support tickets submitted by MetaMask users. While the tickets did not ask for information other than what was necessary to help the user, they did include a free text field that some users may have used to submit personally identifying information. This may have included economic or financial information, name, surname, date of birth, phone number, and postal address.
ConsenSys emphasized that it does not ask for personally identifying information in customer conversations, but some users may have provided it anyway. The breach may have affected up to 7,000 MetaMask users who submitted customer support tickets during the affected timeframe.
As a response to the incident, hardware wallet provider Keystone warned MetaMask users that they might receive more phishing emails. The attacker may use this swiped email database to look for potential victims. Phishing is a scam that tricks a user into providing sensitive information to an attacker. It is often performed by sending an email to the victim that appears to be from a trusted party or someone the victim knows.
ConsenSys said it had taken steps to eliminate unauthorized access in the future. As a result, tickets submitted after February 10 should be unaffected by the incident. The company also contacted the Data Protection Commission of Ireland and the Information Commissioner’s Office of the United Kingdom to report the breach. Additionally, the company’s third-party customer service provider is working with a cybersecurity and forensics team to perform a more detailed investigation of the incident.
This is not the first time MetaMask has come under scrutiny from privacy advocates. In late 2022, the company revealed that it sometimes logged users' IP addresses. However, it updated its app in March to give users more control over which providers could obtain this information.
The incident highlights the importance of cybersecurity in the cryptocurrency industry. Users should remain vigilant and take steps to protect their personal information, such as using strong and unique passwords and enabling two-factor authentication.