A cybersecurity incident occurred at the provider of the Ethereum wallet MetaMask. The ticket system of a third-party customer support service that works with customer data was affected. ConsenSys, the software company behind MetaMask, assures in a blog post that the MetaMask browser extension and mobile app has been safe at all times. Only users who were in contact with customer service at the time of the security incident are affected – and it lasted more than 18 months.
Free field for information “at your own discretion”
The unnamed third-party provider of the ticket system for customer support therefore had a security problem between August 1, 2021 and February 10, 2023. Users of the crypto wallet MetaMask who had contact with customer support during this period could become potential victims of the have been a security incident. Unauthorized persons would have gained access to the systems and had access to personal data. Including at least the e-mail address.
Only limited personal data is requested for the provision of support. In a free field, however, according to ConsenSys, users could “enter information at their own discretion”. This would also include “economic and asset information or names, dates of birth, addresses and telephone numbers,” the statement said. While these would not be required to provide customer support, they could have gotten into the hands of the attackers if entered by the help-seeker.
The incident was known for 18 months
Since ConsenSys could not locate all affected customers “due to limited data collection”, the New York software company informed all potential victims of the incident and sent a message to around 7,000 users. The problem has since been resolved and unauthorized access has been prevented. Additional measures have been taken to prevent similar incidents in the future. In addition to investigations by IT security and forensic teams, the Irish and British data protection authorities have been informed.
In addition, ConsenSys in the message to be “extremely vigilant” about suspicious activity and unsolicited contact by email, telephone or SMS, ignoring or responding to such requests and reporting them to the company. According to the announcement, the problem was first reported in August 2021, why the vulnerability was only closed in February 2023 and only now pointed out remains unclear.
(bme)
