MetaMask third-party provider was hacked, exposing email addresses

The email addresses of immoderate MetaMask users whitethorn person been exposed to a malicious enactment owed to a precocious discovered cyber-security incident. According to genitor institution ConsenSys, the incidental affected users who submitted a lawsuit enactment summons to MetaMask betwixt August 1, 2021 and February 10, 2023.

According to the April 14 blog post, unauthorized actors gained entree to a 3rd party’s machine strategy that was utilized to process lawsuit work requests, perchance allowing them to presumption lawsuit enactment tickets submitted by MetaMask users.

These tickets did not inquire for accusation different than what was indispensable to assistance the user, including email code to facilitate replies. However, they did see a “free text-field,” which immoderate users whitethorn person utilized to taxable personally identifying information. This whitethorn person included “economic oregon fiscal information, name, surname, day of birth, telephone number, and postal address,” the station stated.

Consensys emphasized that it does not inquire for personally identifying accusation successful lawsuit conversations, but immoderate whitethorn person provided it anyway.

The institution estimates that the breach whitethorn person affected up to 7,000 MetaMask users who submitted lawsuit enactment tickets.

In effect to this incident, hardware wallet supplier Keystone warned MetaMask users that immoderate mightiness person much phishing emails owed to the incidental since the attacker whitethorn usage this swiped email database to look for imaginable victims.

— Keystone | Hardware Wallet (@KeystoneWallet) April 14, 2023

Phishing is simply a scam that tricks a idiosyncratic into providing delicate information to an attacker. It is often performed by sending an email to the unfortunate that appears to beryllium from a trusted enactment oregon idiosyncratic the unfortunate knows.

Related: MetaMask launches caller fiat acquisition relation for cryptocurrency

Consensys said it had taken steps to destruct unauthorized entree successful the future. As a result, tickets submitted aft February 10 should beryllium unaffected by the incident. They person besides contacted the Data Protection Commission of Ireland and the Information Commissioner’s Office of the United Kingdom to study the breach. In addition, the company’s third-party lawsuit work supplier is moving with a cyber-security and forensics squad to execute a much elaborate probe of the incident.

MetaMask came nether occurrence from privateness advocates successful precocious 2022 erstwhile it revealed that it sometimes logged users’ IP addresses. However, it updated its app in March to springiness users much power implicit which providers could get this information.