MetaMask third-party provider was hacked, exposing email addresses

The email addresses of some MetaMask users may have been exposed to a malicious party due to a recently discovered cyber-security incident. According to parent company ConsenSys, the incident affected users who submitted a customer support ticket to MetaMask between August 1, 2021 and February 10, 2023.

According to the April 14 blog post, unauthorized actors gained access to a third party’s computer system that was used to process customer service requests, potentially allowing them to view customer support tickets submitted by MetaMask users.

These tickets did not ask for information other than what was necessary to help the user, including email address to facilitate replies. However, they did include a “free text-field,” which some users may have used to submit personally identifying information. This may have included “economic or financial information, name, surname, date of birth, phone number, and postal address,” the post stated.

Consensys emphasized that it does not ask for personally identifying information in customer conversations, but some may have provided it anyway.

The company estimates that the breach may have affected up to 7,000 MetaMask users who submitted customer support tickets.

In response to this incident, hardware wallet provider Keystone warned MetaMask users that some might receive more phishing emails due to the incident since the attacker may use this swiped email database to look for potential victims.

A third-party service provider that provides customer support ticketing services to ConsenSys was the target of a cyber-security incident

⚠️ Be cautious of the potential increase in phishing emails moving forwardhttps://t.co/HswtDiK5EY

— Keystone | Hardware Wallet (@KeystoneWallet) April 14, 2023

Phishing is a scam that tricks a user into providing sensitive information to an attacker. It is often performed by sending an email to the victim that appears to be from a trusted party or someone the victim knows.

Related: MetaMask launches new fiat purchase function for cryptocurrency

Consensys said it had taken steps to eliminate unauthorized access in the future. As a result, tickets submitted after February 10 should be unaffected by the incident. They have also contacted the Data Protection Commission of Ireland and the Information Commissioner’s Office of the United Kingdom to report the breach. In addition, the company’s third-party customer service provider is working with a cyber-security and forensics team to perform a more detailed investigation of the incident.

MetaMask came under fire from privacy advocates in late 2022 when it revealed that it sometimes logged users’ IP addresses. However, it updated its app in March to give users more control over which providers could obtain this information.