Trezor, a leading hardware wallet provider, discovered unauthorized access to their third-party support ticketing portal on January 17th, leading to user data exposure and phishing attacks targeting 41 users. The company took immediate action to mitigate the breach, conducting an internal investigation, alerting affected users, and implementing enhanced security measures to prevent future incidents.

Key Insights

• The exploit involved unauthorized access to Trezor’s third-party support ticketing portal, leading to the exposure of user data and targeted phishing attacks.
• Trezor assures no funds were compromised, and the breach represents a small portion of its customer base.
• All users who have interacted with Trezor Support since December 2021 were considered to be at potential risk.
• The breach gave access to user names/nicknames and email addresses by the malicious actor. Only 41 users were targeted in the phishing attacks.
• In response, Trezor sent emails sent to 66,000 potential victims.
• In April 2022, Trezor users faced a similar phishing attack due to a breach at Mailchimp.

🚨 JUST IN: Trezor Wallet Attack 🚨

Trezor reveals a security breach affecting around 66,000 customers.

An internal audit indicates limited access to email and name/nickname data.

The illicit actor contacted 41 customers seeking sensitive recovery seed information. Eight… pic.twitter.com/kVtIzVUTq3

— Good Morning Crypto (@3TGMCrypto) January 21, 2024

On January 17th, the leading hardware wallet provider, Trezor, discovered someone had gained unauthorized access to their third-party support ticketing portal. As soon as the breach was spotted, they immediately took steps to prevent any further malicious activity by revoking the malicious actor’s access and conducting a detailed audit of their operational logs. From a technical perspective, Trezor squashed any additional risk to their user base as soon as they spotted the breach.

Knowing that simply denying the malicious actor access wouldn’t be enough, Trezor got in contact with the third-party provider to get a better idea of the scope of the unauthorized access. The provider assured them that there had been no user data or contact information had been procured. However, Trezor decided to do its own investigation into the incident and discovered two things:

1. The malicious actor had managed to access user contact details, though fortunately, it was limited to their names/nicknames and email addresses.
2. 41 of its users had been victims of phishing attacks. They had been contacted by the malicious actor, who was requesting sensitive information related to their recovery seeds under the guise of a bot checking the firmware of their Trezor device. 

They alerted these users with a detailed scope of the incident as soon as they were aware of their involvement and prevented anyone from sharing their recovery seeds. 

Despite a lack of confirmation, Trezor suspected that all users who had interacted with Trezor Support since December 2021 (the date this incident began) could be victims of a phishing attack. The company has been proactive in sending out emails to the 66,000 potential victims, making them aware of the scope of the incident and the possible scams they could be subject to because of it.

Trezor was running a trial-based discussion platform through the same third-party provider during the breach. The company suspects that the eight people who used it to create accounts might have had their contact details compromised and contacted them directly to make them aware of the situation.

Since the incident, Trezor has been in constant communication with their third-party provider through formal inquiries with their security team and interactions with their support team. They have yet to reach a definitive conclusion on why this was able to happen or who the malicious actor is. Still, the company’s security team is working tirelessly to ensure the safety of their systems to prevent something like this from happening again. They’re also pressing the third-party provider for clear information to resolve this matter urgently.

Once all potential phishing victims had been made aware, Trezor brought all available information regarding the incident into the public eye on January 20th. This decision was two-fold:

1. Re-establishing trust with their users by showing them that the protection of their data is Trezor’s top priority 
2. Increasing their users’ awareness of sharing sensitive personal information to suspect sources.

To prevent any panic, Trezor has assured its users that no funds have been compromised and that their devices are “as secure today as they were yesterday.” They went on to emphasize that the only time users would need their recovery seed is when entering it into their Trezor device upon its recovery. They also encouraged anyone who saw unfamiliar activity in their wallet to report it immediately to Trezor’s official support page.

Previous Phishing Attacks Against Trezor Users

This isn’t the first time Trezor users have had to deal with phishing attacks. In April 2022, a malicious actor gained access to an internal tool used by customer-facing teams for customer support and account administration thanks to a successful social engineering attack on Mailchimp (a marketing automation and email marketing platform) employees.

The attacker used the platform to distribute a link via an email that claimed Trezor had experienced a security incident affecting 106,856 of its users and asked those who received the email to click the link and download the latest version of Trezor Suite. Users would then be directed to download a Trezor Suite lookalike app, asking them to connect their wallet and enter their recovery seed. This would compromise the seed, and funds were immediately transferred to the attacker’s wallet.

What Trezor is Doing to Prevent Further Incidents

To continue to ensure their users’ safety, Trezor will work to enhance their security practices even further. Due to the nature of modern businesses, dependence on third-party service providers is necessary for their functionality. Still, Trezor is doing its part to assess its relationship and the trustworthiness of the third-party vendor involved.

What You Can Do to Protect Yourself from a Phishing Attack

At the moment, the only thing Trezor users affected by the incident should really be worried about is receiving an email from an account pretending to be Trezor. There are a few ways to spot whether the email is legit:

1. Trezor will always communicate from email addresses ending in @trezor.io or @satoshilabs.com
2. On iOS Mail, open the email, select details, and tap on the name of the sender to display more details.
3. Click the arrow next to the “To” field on Gmail, and a pop-up window displaying the sender’s full email address will appear.
4. Check the links to see where they will take you by hovering your mouse cursor over the link (on a computer) or pressing and holding the link (on a mobile device). If it’s from Trezor, the URL should end with .trezor.io or .satoshilabs.com.
5. Check the email for misspelled words, grammar errors, and any unusual words. Phishing emails are usually full of them.
6. Phishing emails usually try to prompt urgent action from their targets, warning them about a security breach or potentially blocked access to their account. You should verify the information through the official Trezor Support channels before acting.
7. If everything else looks fishy and the email also prompts you to download something, you can be sure it is a phishing attack and report it (or ignore it).