Some MetaMask users’ email addresses may have been compromised because of a recently discovered security breach. The breach affected users who submitted customer support tickets to MetaMask between August 1, 2021, and February 10, 2023.
Unauthorized parties may have accessed a third-party computer system to process customer service requests, which could have allowed them to view the support tickets submitted by MetaMask users. Although the support tickets did not request additional information other than what was necessary to assist users, such as email addresses to facilitate replies, some users may have provided personal identifying information in a “free text field,” such as financial or economic data, names, surnames, dates of birth, phone numbers, and postal addresses.
ConsenSys, MetaMask’s parent company, stated that it does not ask for personal identifying information in customer conversations, but some users may have provided it anyway. This breach may have affected up to 7,000 MetaMask users who submitted customer support tickets.
In response, Keystone, a hardware wallet provider, warned that some MetaMask users might receive phishing emails because of the incident, as attackers could use the stolen email database to target potential victims. ConsenSys has taken measures to prevent unauthorized access in the future and tickets submitted after February 10 should be unaffected. They also reported a breach to the Data Protection Commission of Ireland and the Information Commissioner’s Office of the United Kingdom. Cybersecurity and forensic teams are conducting more detailed investigations of the incident.
In late 2022, MetaMask faced criticism from privacy advocates regarding logging users’ IP addresses. However, in March, the app was updated to provide users with more control over which providers could access this information.