A cyber-security incident targeted a third-party service provider that provides technical customer support services to Consensys.
The incident was limited to a certain number of users who submitted personal data to MetaMask customer support during the period August 1 2021 to February 10 2023.
It is important to note that the MetaMask browser extension and mobile app security were not affected by this incident. MetaMask users are unaffected if they did not submit personal data to MetaMask customer support ticketing system.
Frequently Asked Questions
Can you describe how the incident happened?
A third-party service provider that provides customer support ticketing services to Consensys was the target of a cyber-security incident. The incident occurred when unauthorised actors gained access to the third-party service provider’s systems. As a result of this incident, MetaMask users who submitted personal data to our customer support may have had that data accessed by an unauthorised third party.
What type of data was accessed?
MetaMask support requests limited personal data necessary to provide the support function (e.g. email address). MetaMask support tickets include a free text-field, so while we request limited personal data, users at their own discretion may input any information, which depending on the submission, may constitute personal data (including, potentially: economic or financial information, name, surname, date of birth, phone number, and postal address). Again, this type of personal data is not personal data we request as part of providing support services.
How many users were affected?
The incident was limited to users who submitted personal data to MetaMask customer support using the third-party customer support ticketing services. Due to limited data collection, we cannot technically identify each individual user whose data may have been accessed. As a result, a notice was sent to all users who contacted MetaMask customer support during the affected period. We estimate that approximately 7,000 users worldwide were affected by the incident.
What measures have we taken to ensure this won’t happen again? Are you looking at other potential attack vectors and reconsidering our approach to those?
In relation to this incident, the following steps have been taken:
We have taken steps to stop the unauthorised access. The threat is no longer on-going.
We have reported the matter to the Data Protection Commission of Ireland and the Information Commissioner’s Office of the UK.
We continue to liaise and work with our service provider who has engaged with an experienced incident response IT, cyber security, and forensics team to investigate the incident.
We are putting further measures in place in order to address and mitigate known or possible adverse effects.
We are constantly looking at ways to improve our existing measures to meet the highest level of security and data privacy.
How can users be confident that their data is safe with MetaMask in future?
The security of the MetaMask browser extension and mobile app was not affected by this incident. The incident was limited to a third-party provider of technical customer support ticketing services used by MetaMask. MetaMask users who did not submit personal data to MetaMask customer support using these ticketing services are unaffected. Consensys completed a comprehensive forensic investigation into the incident and implemented measures to prevent similar incidents from happening in the future. In addition, Consensys is currently engaged in implementing an enhanced third-party risk management program across its services. Protecting the privacy of our users and the safety of your data is at the core of this enhanced program.
What can potentially affected users do to protect themselves? What should I do if I suspect a phishing attempt?
As always, we ask that you be extremely vigilant for any suspicious activity and unsolicited contacts which may be made to you by phone, text, email or instant message. If you are suspicious of any request or message, do not open it and do not reply or click any links but delete it. Please make us aware of suspicious requests and messages by reporting them here.
We wish to remind you, as Consensys frequently repeats through its public channels, that any request for your secret recovery phrase should be treated as suspicious and ignored. We will never ask you for your secret recovery phrase. Never in any circumstances provide your secret recovery phrase to any third party.
The breach has been reported to which regulators?
The Data Protection Commission of Ireland and the Information Commissioner’s Office in the UK.
How many users were potentially affected?
Approximately 7,000 users of customer support had their tickets accessed during the time period of the incident, which is a small percentage of the users who used customer support during that time.
When was this issue first reported?
August 2021.
How long were the users’ data at risk?
Between August 2021 and February 2023.
If you have any additional questions please contact [email protected].
Media Contacts: [email protected]