Trezor Support Site Breach and Data Exposure Effecting 66,000 Customers
Trezor, a leading hardware cryptocurrency wallet vendor, recently reported a security breach on its support site, affecting approximately 66,000 customers.
Incident Overview
Unauthorized access to Trezor's third-party support ticketing portal led to a data breach on January 17. The company assures users that no evidence suggests compromise of digital assets.
User Data Exposure
While user funds remain secure, a subset of 66,000 users who interacted with Trezor Support since December 2021 had their names, usernames, and email addresses exposed. Fortunately, Trezor believes additional personally identifiable information stored on the breached system was not impacted.
Exploitation Cases and Phishing Attacks
Trezor confirmed 41 cases of exposed data exploitation. Attackers targeted users with phishing emails, posing as automated support replies. Users were tricked into revealing their recovery seeds, essential for wallet access.
Phishing Tactics
The phishing messages falsely claimed that seed information was only needed for firmware validation and would not be accessible by humans. Revealing a Trezor seed phrase could enable attackers to access and steal cryptocurrency irreversibly.
Trezor's Response
Trezor promptly terminated unauthorized access to its support system on January 17, mitigating the risk. The company contacted potentially affected users, cautioning them against phishing attempts. No successful attacks have been observed.
User Vigilance and Best Practices
Trezor advises users who contacted support post-December 2021 to remain vigilant against phishing and scams. Users should never disclose their seed phrase, as this confidential information is crucial for securing wallets.
Security Reminders
It's crucial for hardware wallet users to understand that legitimate wallet providers will never request sensitive data like seed phrases for operational or support reasons. Upholding confidentiality is paramount in maintaining the security of cryptocurrency assets.
Danial Zahoor
Professional Ethical Hacker and Cybersecurity Researcher with a proven track record in dismantling online threats. Successfully neutralized 4 scammer networks, thwarted 13 phishing schemes, and disrupted 4 kidnapper networks. Committed to ensuring online safety and security, I leverage my expertise to protect individuals and organizations from digital threats. Passionate about cybersecurity education and empowering others to stay safe online.
