If app data backup is enabled, MetaMask has issued a warning to its iOS users concerning the seeds of bitcoin wallets being saved in Apple’s iCloud.
Over 21 million investors use MetaMask to store their wallet tokens and manage their digital assets, making it a “hot” cryptocurrency wallet.
A seed is a 12-word secret recovery phrase used in cryptocurrencies that protects access to the wallet’s contents.
Storing the wallet seed in iCloud effectively means that if an owner’s Apple account is hacked, so are their digital possessions.
If you’ve enabled iCloud backup for app data, your password-protected MetaMask vault will be included. If your password isn’t strong enough and your iCloud credentials are phished, money can be stolen.
April 17, 2022 — MetaMask (@MetaMask)
A true case of phishing
Unfortunately, the scenario described here was employed against at least one MetaMask user, who lost $655k as a result of a well-crafted phishing attempt.
1/ On April 15th, @revive dom received many text messages requesting that he reset his Apple ID password, as well as a call from “Apple Inc.” at 6:32 p.m., which was a spoofed caller ID.
They said that suspicious behavior had been detected on his Apple ID and requested a one-time photo.
twitter.com/fc8lSntgyP
April 17, 2022, Serpent (@Serpent)
The target received repeated text messages requesting that he reset his Apple account, and the attacker followed up with a call from a spoofed Apple Inc. number posing as support personnel looking into suspicious activity on his account.
The victim followed the instructions and gave the bogus support personnel the six-digit Apple verification code. His MetaMask wallet was soon depleted.
The hackers had already requested one last Apple account password change, and all they needed was the extra verification to gain access to the victim’s iCloud data, which contained the MetaMask seed. They were able to take $655,388 in cryptocurrency as a result of this.
What should I do?
Exclude MetaMask from iCloud backups under Settings > Profile > iCloud > Manage Storage > Backups to protect your digital assets safe from such clever attacks.
Regardless of how persuasive a call, email, or SMS may appear, the two-factor authentication code is a temporary secret that should not be shared with anybody. It would never be requested by official representatives.
Additionally, rather than using the MetaMask hot wallet, cryptocurrency users can keep their assets safer in a cold wallet if they aren’t actively trading them.
Finally, keeping your investments off of social media and other public platforms makes you less of a target for hackers looking for new, high-value targets.
