MetaMask Hit By Data Leak

Troubling news surrounding MetaMask has emerged, with a recent announcement from ConsenSys that a data leak provided bad actors with the personal info of around 7000 users.

Before reading on, please be aware that the MetaMask wallet extension itself has not been compromised in any way. The source of the security incident is isolated to a data breach where users would have had to submit their personal info via a support ticket.

What Happened?

Consensys, the parent company of MetaMask, recently made an announcement on April 14th. The announcement stated that a third-party service provider, responsible for providing technical customer support services to MetaMask users, was targeted in an incident. Unfortunately, unauthorized actors gained access to the third-party systems, and as a result, any MetaMask users who submitted personal data to their customer support between August 1st, 2021 and February 10th, 2023 may have had their information accessed by the unauthorized actors.

MetaMask’s support ticketing system collects only the personal data required for the support function, such as an email address for return correspondence. However, the system also includes a free-text field where users can add extra information if needed. This means that ticket submitters may have shared additional personal information, such as their full names, telephone numbers, or even postal addresses, thinking it would help resolve their queries.

Am I Affected?

The most important question to ask yourself is whether you submitted a ticket to MetaMask during the timeframe mentioned earlier. If the answer is no, then you have nothing to worry about! Furthermore, MetaMask has sent a notice to all users who contacted their customer support during the affected period.

How Have ConsenSys Reacted?

ConsenSys have taken a number of steps since the leak came to light:

• Neutralized the threat with it no longer being an active issue
• Reported the matter to the data Protection Commission of Ireland and the Information Commissioner’s Office of the UK
• Continued to liaise with the service provider, who has engaged with an experienced incident response IT, cybersecurity and forensics team to investigate
• Put further measures in place to mitigate the known and possible adverse effects, whilst looking to improve existing security measures

Other Leaks, and How Bad Actors Use the Info

One of the most notable examples of a data leak in Web3 was the one that affected Ledger users.

The incident was a complete disaster for both the company and its users. The leak exposed sensitive information, including full names, home addresses, and more, affecting over 270,000 customers. Shockingly, over 1 million email addresses signed up for the company’s newsletter service were also exposed.

Victims of the leak have been bombarded with scam emails in their inboxes, which continues to this day, over a year since the leak happened. The more concerning aspect of the leak is the possibility that highly sensitive customer information may have been bought and sold on the black market multiple times by now.

How To Protect Yourself

One simple way to reduce the risk of these security breaches is to never disclose your real-life credentials when it comes to Web3 matters, including support tickets, where such information is unnecessary. However, with incidents like the one with Ledger, avoiding submitting sensitive information is more challenging as the product needs to be delivered to you. One solution is to use public drop boxes where you can have physical items sent to without exposing your real-life place of residence.

If you become a victim of a data leak, be extra vigilant with your email inbox, and avoid clicking on unknown links from unrecognized senders. Even if the sender is recognized, it’s still best to exercise caution and practice good security habits.

Stay safe!