Trezor support site breach exposes personal data of 66,000 customers

Trezor issued a security alert after identifying a data breach that occurred on January 17 due to unauthorized access to their third-party support ticketing portal.

The popular hardware cryptocurrency wallet vendor says that the investigation on the incident is ongoing but it found no evidence so far that users’ digital assets were compromised in the incident.

“We want to stress that none of our users’ funds have been compromised through this incident,” reads the announcement. “Your Trezor device remains as secure today, as it was yesterday,” the company added.

However, a subset of 66,000 users who have interacted with Trezor Support since December 2021 may have had their names or usernames, and email addresses exposed to an unauthorized party.

Postal addresses, phone numbers, and other personally identifiable information were also stored on the breached system but Trezor does not believe these were impacted.

Unfortunately, Trezor has already confirmed 41 cases where exposed data has been exploited, with the attackers approaching users to trick them into giving away their recovery seeds – a string of words that contain all the information required for gaining access to a wallet.

Specifically, the attackers email Trezor users with a message that seems like an “automated reply” from support, requesting them to disclose the 24-word phrase they used for setting up their Trezor wallets.

The phishing message assures the recipient that the seed information is required only for firmware validation and won’t be “accessible by humans.”

Phishing message
Phishing message (Trezor)

Giving away a Trezor seed phrase would allow the attacker to restore the victim’s wallet on any DIP39-compatible hardware wallet device and perform irreversible cryptocurrency theft.

Trezor has reached out to all potentially affected users, warning them of phishing attacks that try to obtain recovery seeds. The company notes that no cases of successful attacks have been observed.

The company says the unauthorized access to its support system has now been terminated and the risk from the attack was mitigated on January 17 at 20:20 CET.

If you are a Trezor user who contacted their support after December 2021, be vigilant for potential phishing and scamming attempts.

Hardware wallet users must never disclose their seed phrase under any circumstances. This information is confidential and should remain exclusively with the user.

Wallet providers will never request this type of sensitive data because it is not necessary for any operational or support-related reasons.

Source: www.bleepingcomputer.com