MetaMask Company warned that in case an Apple user has enabled automatic iCloud backups of their MetaMask wallet data, their seed phrase is getting stored online. The ConsenSys-owned crypto wallet provider was quick to send a warning to the community about the Apple iCloud phishing attacks.
Notably, the security issue affecting iPhone, Mac, and iPad users is mainly related to default device settings that see a user’s seed phrase and sometimes the “password-encrypted MetaMask vault” stored on the iCloud in case the user has enabled automatic backups for their app data and information.
In a Twitter thread published on April 18, MetaMask said that the users are faced with the risk of losing their funds in case their Apple password ‘is not strong enough’ and an attacker can phish their account credentials.
To fix that issue, the users can disable automatic iCloud backups for MetaMask as highlighted:
🔒 If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on 👇) 1/3
— MetaMask 🦊💙 (@MetaMask) April 17, 2022
This warning from MetaMask came in response to the reports from the nonfungible token (NFT) collector who is called “revive_dom” on Twitter, who said on April 15 that their whole wallet with $650,000 worth of digital assets and nonfungible tokens was wiped dry through this particular security issue.
In a separate thread earlier in the day, DAPE NFT project founder “Serpent” who helped gain the attention of MetaMask by sharing the story with their 277,000 followers provided a rundown of what happened to this specific victim.
They said that the victim got multiple text messages asking to reset his Apple ID password together with a purported call from Apple which was eventually discovered to be a spoofed caller ID.
As they were allegedly unsuspecting the caller, “revive_dom” gave out a 6-digit validation code to prove that they were the owner of the Apple account. The cybercriminals then hung up and accesses his MetaMask account through data that was stored on iCloud.
– ALWAYS use a cold wallet to store your valuables
– Never give out verification codes to ANYONE
– Protect your information, don't give out your phone number or your personal email
– Caller information is easy to spoof. Companies like Apple will never call you
— Serpent (@Serpent) April 17, 2022
Once MetaMask posted the warning on April 18, “revive_dom” expressed his frustrations with the firm, noting that:
“I’m not saying they shouldn’t do it but they should tell us. Don’t tell us to never store our seed phrase digitally and then do it behind our backs. If 90% of the people knew this I would bet none of them would have the app or iCloud on.”
While a majority of the community response was supportive, others quickly insisted on the importance of using cold storage and doing lots of due diligence when storing any assets in a hot wallet.