MetaMask Faces Cybersecurity Incident: Customer Support Data Exposed

Unauthorized Access Impacts Estimated 7,000 Users; MetaMask and ConsenSys Take Swift Action

MetaMask, a prominent Ethereum wallet, recently experienced a cybersecurity incident that led to the exposure of personal data submitted by users to MetaMask’s customer support. The incident targeted a third-party service provider that supplies technical customer support services to ConsenSys, MetaMask’s parent company. The incident specifically affected users who submitted personal data to MetaMask customer support between August 1, 2021, and February 10, 2023.

According to ConsenSys, unauthorized actors gained access to the third-party service provider’s systems. As a result, they were able to access personal data submitted by MetaMask users through the customer support ticketing service. While MetaMask support requests only require limited personal data to provide support (e.g., email address), the support tickets include a free text field where users may voluntarily input additional information. This could include sensitive data such as names, dates of birth, phone numbers, postal addresses, and financial information.

It is estimated that approximately 7,000 users worldwide were affected by the incident. However, due to limited data collection, ConsenSys cannot technically identify each individual user whose data may have been accessed. As a result, a notice was sent to all users who contacted MetaMask customer support during the affected period.

In response to the incident, ConsenSys has taken several steps to prevent similar occurrences in the future:

  • Unauthorized access has been stopped, and the threat is no longer ongoing.
  • The incident was reported to the Data Protection Commission of Ireland and the Information Commissioner’s Office of the UK.
  • ConsenSys continues to liaise and work with the service provider, who has engaged an experienced incident response IT, cybersecurity, and forensics team to investigate the incident.
  • Further measures are being put in place to address and mitigate known or possible adverse effects.
  • An enhanced third-party risk management program is being implemented across ConsenSys services to improve security and data privacy.

It is important to note that the security of the MetaMask browser extension and mobile app was not affected by this incident. Only users who submitted personal data to MetaMask customer support using the third-party ticketing services were impacted.

ConsenSys advises potentially affected users to remain extremely vigilant for suspicious activity, unsolicited contacts, and phishing attempts. Users should not open, reply to, or click on links in suspicious requests or messages, and are reminded never to provide their secret recovery phrase to any third party.

As the incident unfolded over an extended period from August 2021 to February 2023, MetaMask and ConsenSys have taken swift and decisive actions to safeguard users’ data and prevent future breaches.