Due to a recently discovered cybersecurity incident, the email addresses of some MetaMask users may have been exposed to malicious parties. According to parent company ConsenSys, the incident affected users who submitted customer support tickets to MetaMask between August 1, 2021 and February 10, 2023.
According to an April 14 blog post, unauthorized actors gained access to a third-party computer system used to process customer service requests, potentially allowing them to view customer support tickets submitted by MetaMask users.
These tickets ask for no information other than that necessary to assist the user, including an email address for easy reply. However, they do include a "free text field" that some users may have used to submit personally identifiable information. This could include "economic or financial information, names, dates of birth, phone numbers and postal addresses," the post said. ConsenSys emphasized that it does not ask for personally identifiable information in customer conversations, but some may have provided it.
The company estimates that the breach may have affected as many as 7,000 MetaMask users who submitted customer support tickets. In response to the incident, hardware wallet provider Keystone warned MetaMask users that some may receive more phishing emails as a result of the incident, as attackers may be using this swiped email database to find potential victims.
Phishing is a scam that tricks users into providing sensitive information to attackers. It is usually executed by sending the victim an email that appears to be from a trusted party or someone known to the victim. ConsenSys said it has taken steps to eliminate unauthorized access in the future. Therefore, tickets submitted after February 10th should not be affected by this event. The company also contacted the Irish Data Protection Commission and the UK Information Commissioner's Office to report the breach. Additionally, the company's third-party customer service provider is working with cybersecurity and forensics teams to conduct a more detailed investigation of the incident.
MetaMask came under fire from privacy advocates in late 2022 when it revealed that it sometimes logs users' IP addresses. However, it updated its app in March to give users more control over which providers get the information.
