MetaMask Crypto Wallet Seeds Exposed In iCloud Backups, $650K Theft Shows

MetaMask, a cryptocurrency wallet and blockchain app gateway (https://metamask.io/) used by 21 mil+ investors, Tweeted a warning (raw link at bottom) to iOS users that if they have iCloud backup enabled, their wallets could be hacked if someone phishes their iCloud credentials.

With iCloud backup enabled, a user’s crypto “seed” (a key to their account, typically ~12 words) may be used by anyone to steal their assets.

@sentinelwtf founder @serpent  shares that a MetaMask user (@revive_dom) lost $655k in a phishing attack: “MetaMask actually saves your seed phrase file on your iCloud. The scammers requested a password reset for the victim’s Apple ID. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim’s MetaMask.”

Experts with Cyvatar and Shared Assessments offer comments.

Experts Comments

April 20, 2022
Dave Cundiff
Vice President
Cyvatar

As today’s technology becomes increasingly more complex users sometimes mistakenly assume that successful attacks will need to be equally complex. All items currently leveraging blockchain or web3 still rely on the fundamental building blocks of infrastructure. Servers, networking, users, authentication, etc. are all still fundamental pieces within the overall uses of these new technologies. As such sometimes deceptively simple attacks can allow for these types of successes on the part of the

.....Read More

As today’s technology becomes increasingly more complex users sometimes mistakenly assume that successful attacks will need to be equally complex. All items currently leveraging blockchain or web3 still rely on the fundamental building blocks of infrastructure. Servers, networking, users, authentication, etc. are all still fundamental pieces within the overall uses of these new technologies. As such sometimes deceptively simple attacks can allow for these types of successes on the part of the attacker. However, unlike a federally or institutionally insured banking entity there is currently limited recourse to recovery of funds. No matter the banking entity you are working with whether it be a cryptocurrency wallet or a traditional brick and mortar bank, NEVER follow text message instructions. 

Anytime you receive a text message saying you need to reset something it is imperative to go to the standard website from a different device to make the requested change. This will prevent even the possibility of a low-level attack like this from being able to begin even the first step. Additionally, there are currently no providers such as Apple or Google who will ever request your 2-factor code. If someone ever asks you to provide a verification code verbally over a phone call, they are most likely not a proper representative.

  Read Less
April 20, 2022
Nasser Fattah
Executive Advisor
Shared Assessments

Often when we backup our iPhones to the cloud, we don’t think of what to exclude in the event our Apple credential is compromised. Backups are often all or nothing.

Additionally, there is certain information, like passwords or pins, that should be deemed suspicious when being requested by support staff. When in doubt, or if you’re getting the heebie-jeebies, then it is time to stop engaging with the requester and call the official number of the entity that is asking for one’s sensitive

.....Read More

Often when we backup our iPhones to the cloud, we don’t think of what to exclude in the event our Apple credential is compromised. Backups are often all or nothing.

Additionally, there is certain information, like passwords or pins, that should be deemed suspicious when being requested by support staff. When in doubt, or if you’re getting the heebie-jeebies, then it is time to stop engaging with the requester and call the official number of the entity that is asking for one’s sensitive information.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.