ConsenSys-owned crypto wallet provider MetaMask has issued a warning to the community about Apple iCloud phishing attacks.
The security issue for iPhone, Mac and iPad users it is related to the default setting of the device seeing a user's seed phrase or "password-encrypted MetaMask vault" stored in iCloud if the user has enabled automatic backups for their app data.
In a Twitter thread posted on April 18, MetaMask noted that users risk losing their funds if their Apple password is "not strong enough" and an attacker can spoof your account credentials.
To fix the issue, users can disable automatic iCloud backups for MetaMask as follows:
If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn't strong enough and someone spoofs your iCloud credentials, it could mean stolen funds. (Keep reading) 1/3
โ MetaMask (@MetaMask) April 17, 2022
The MetaMask warning came in response to reports from an NFT collector going by the name "revive_dom" on Twitter, who fixed on April 15 that his entire wallet containing $650,000 worth of digital assets and NFTs was wiped through this specific security issue.
In a separate thread earlier today, the founder of the DAPE NFT project, "Serpent", who also helped bring MetaMask to attention by posting the story shared with his 277,000 followers, summarized what happened to the victim. .
They noted that the victim received multiple text messages asking her to reset her Apple ID password along with an alleged call from Apple that was ultimately a spoofed caller ID.
Reportedly not suspicious of the caller, "revive_dom" provided a six-digit verification code to prove ownership of the Apple account. The scammers then hung up and accessed your MetaMask account through data stored in iCloud.
key takeaways
- ALWAYS use a cold wallet to store your valuables
- Never give verification codes to ANYONE
- Protect your information, do not give out your personal phone number or email
- Caller information is easy to spoof. Companies like Apple will never call youโ Snake (@Snake) April 17, 2022
Related: MetaMask Expands Institutional Offering by Integrating New Cryptocurrency Custodians
After MetaMask posted the warning today, "revive_dom" voiced his frustrations with the company, noting that:
โI'm not saying they shouldn't do it, but they should tell us. Don't tell us never to store our seed phrase digitally and then do it behind our backs. If 90% of people knew this, I'd bet none of them would have the app or iCloud turned on."
While most of the community response was supportive, others were quick to emphasize the importance of using cold storage and doing a lot of diligence when storing assets in a hot wallet.