ConsenSys-owned cryptocurrency wallet provider MetaMask has issued a warning to the community regarding Apple iCloud phishing attacks.
The security issue for iPhone, Mac, and iPad users is related to the device’s default setting that a user’s seed phrase or “password-encrypted MetaMask vault” is stored in iCloud if the user has enabled automatic backups for their application data.
In a Twitter thread posted on April 18, MetaMask noted that users risk losing their funds if their Apple password is “not strong enough” and an attacker is able to spoof their account credentials..
To fix the issue, users can turn off automatic iCloud backups for MetaMaskas detailed:
If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on) 1/3
— MetaMask (@MetaMask) April 17, 2022
If you have turned on iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone spoofs your iCloud credentials, this can mean funds are stolen. (Keep reading) 1/3
The MetaMask warning came in response to reports from an NFT collector calling himself “revive_dom” on Twitter, who declared on April 15 that all your pursewhich contained $650,000 worth of digital assets and NFTs, was deleted via this specific security issue.
In another thread, the founder of the DAPE NFT project, “Serpent,” which also helped get MetaMask’s attention by sharing the story with its 277,000 followers, provided a summary of what happened to the victim..
He pointed out that the victim received multiple text messages asking them to reset their Apple ID password along with an alleged call from Apple that was ultimately a spoofed caller ID.
Apparently not suspecting the caller, “revive_dom” provided a six-digit verification code to prove ownership of the Apple account. Later, the scammers hung up and accessed your MetaMask account through data stored in iCloud.
key takeaways
– ALWAYS use a cold wallet to store your valuables
– Never give out verification codes to ANYONE
– Protect your information, don’t give out your phone number or your personal email
– Caller information is easy to spoof. Companies like Apple will never call you— Serpent (@Serpent) April 17, 2022
Key points
– ALWAYS use a cold wallet to store your valuables
– Never give verification codes to ANYONE
– Protect your information, do not give your phone number or your personal email
– Call information is easy to fake. Companies like Apple will never call you
After MetaMask posted the warning today, “revive_dom” express your frustrations with the companynoting that:
“I’m not saying they shouldn’t do it, but they should tell us. Don’t tell us never to store our seed phrase digitally and then do it behind our backs. If 90% of people knew this, I’d bet none of them would have the app or iCloud turned on.”
While most of the community response was supportive, others were quick to stress the importance of using cold or offline storage and doing a lot of diligence when storing assets in a hot or online wallet..
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.