Trezo says its users are being targeted in phishing attacks after Trezor user’s data stored on Mailchimp servers was recently hacked.
Updated April 17th. In an incident that highlights the risks of crypto companies relying on the security of third parties, Czech Republic-based Satoshi Labs is warning its users to never reveal their seed phrases after reports of phishing emails being received by Trezor hardware wallet users following the recent hack of Trezor data from Mailchimp.
The popular Trezor Model T hardware wallet
Trezor and Mailchimp – what went wrong?
Trezor says it was notified on April 3rd that a phishing email had been sent to a user’s email account, alerting it to a data breach. Further investigation revealed that third-party newsletter provider MailChimp, which Trezor used for marketing communications, had been regularly hacked over a period of months. Four Mailchimp workers were targeted by phishing operations for several weeks and they provided secure access to attackers.
Trezor says it has been restricted in its investigations by a lack of transparency and collaboration from Mailchimp in the aftermath of the attack. “It has taken a long time to understand the true scope of the attack,” the company says, “as Mailchimp has been slow to provide actionable details from their side.” Ultimately Mailchimp revealed that subscriber email addresses were taken, and data from people who had unsubscribed, as well as names and IP addresses in some circumstances.
In an email to compromised users on April 15th, Trezor says users should protect themselves and be wary of incoming mail, as the targeted data is being used to send phishing emails to Trezor user’s inboxes. “Avoid clicking on any links in emails, and never ever enter your seed into a computer without your Trezor device telling you to do so,” the company said.
What is a seed phrase?
The ‘seed phrase’ that a hardware wallet creates is its most essential security feature. A seed phrase is a string of words generated by the wallet during its initial setup. These words should be manually written down by the user. They should never be photographed or typed in a Google or Word doc.
It’s a good idea to make many copies and keep them separate from the hardware wallet. Then, if your hardware wallet is lost, damaged, or stolen, you can buy another one, input your seed phrase while setting it up, and all of your assets will be recoverable.
Trezor Calls Out Mailchimp
Trezor says except to exchange details with the impacted users, it will no longer utilize Mailchimp and it strongly advises any organization that has used Mailchimp to contact the email service provider and ask whether they too have been affected.
“It is inexcusable to hide the fact that customer data was attacked until being called out,” Trezor said in a statement, “and we are disappointed by Mailchimp’s slow cooperation in the investigation.”
Trezor says given the broad scope of the attack, it is important that users remain on alert for phishing attacks coming from sources other than Trezor, as “hundreds of other brands and projects which have not yet been disclosed were also targeted.”
Mailchimp Responds
Mailchimp has issued a public statement about the incident. The US-based company said that on March 26th a bad actor “conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised.” The email provider says it has so far identified 319 Mailchimp accounts that were comprised and audience data “was exported from 102 of those accounts.”
The company says the attackers specifically targeted Mailchimp clients operating in the cryptocurrency sector and it also confirms that phishing attacks have been launched using the stolen data.
Mailchimp adds that more phishing campaigns are possible given that it is “not uncommon for these types of incidents to include multiple attacks.”
US-based Mailchimp was purchased by Intuit in November 2021 for US$12 billion.
Source Article: Brave New Coin