Pages:
Author

Topic: Trezor's 3rd-Party Support Portal was Hacked (Read 364 times)

legendary
Activity: 2730
Merit: 7065
January 31, 2024, 11:10:56 AM
#27
@PrivacyG
I guess you received the one that came from the official Trezor email handle telling you that your assets are being upgraded and that you need to confirm your holdings by entering your seed phrase. Even though it came from Trezor's official email, anyone asking for your seed and private keys should immediately ring all kinds of red alarms on the user's end. Most hardware wallet users should have enough knowledge to know this. Trezor now has a big red notification in its Trezor Suite informing all users about the phishing emails and importance of not sharing sensitive data with anyone.
hero member
Activity: 882
Merit: 1873
Crypto Swap Exchange
I fear that this is only the start of a long campaign in draining the funds of users that were both unaware of this 3rd-party support portal hack and are not that savvy in what concerns their devices and best security practices...
Holy Moly.  I received a message from Trezor too and it seemed legitimate at first.  Being a little bit tech savvy though I quickly realized it can not be real and ignored it.  But this can easily fool the regular person using Trezor or Bitcoin, all it takes is them having trust in the Trezor team.

Trezor should add multiple warnings in the boxes of their products.  They should make it clear to every body that Private Keys and Seeds should NEVER be given away even to the Support team of Trezor or it may lead to loss of funds.  Even after so many years, too many people STILL do not understand this.

Hell.  I would add such a warning on the boot screen too and particularly on the Seed Phrase paper.  Bold text on red background, make them notice the warning before attempting any thing stupid.
legendary
Activity: 1148
Merit: 3117
And it seems that a batch of new e-mails were sent to some customers notifying them of an upgrade to their assets[1]. It looks like a more ellaborated scam attempt than we usually see per Reddit comments:
Quote
Not just the signature (that isn't usually perceived by "normal" users), but even the link the scam was pointing to was legit. First thing you would check about is the links, but the link were legit, so this could have fooled a bunch of people.. if you know how it works (hence I did), you come to a conclusion: wow, this is a phishing email, but everything in the email is legit, a scammer can't do that without hacking the backend (or obtaining access to the platform).. and you come here on Reddit to check. But what about the other thousands people out there, they may easily fall for it, because the contents (maybe not the spell) were all legit.
I fear that this is only the start of a long campaign in draining the funds of users that were both unaware of this 3rd-party support portal hack and are not that savvy in what concerns their devices and best security practices...

[1]https://teddit.zaggy.nl/r/TREZOR/comments/19enqtd/security_alert_weve_detected_an_unauthorized/
legendary
Activity: 2730
Merit: 7065
Are you sure it's the exact same official email address and not something nearly identical but hidden with punycodes and coming from different source?
It's from their email provider. The service handling their emails got hacked. I don't know why that's something they would outsource to a third party, and why they couldn't have handled that themselves in-house. But like with anything, companies only change when shit happens.

Congrats on being selected as one of the ''lucky'' winners from everyone who applied for trezor newsletter... I was not that ''lucky''.  Tongue
I guess the hackers didn't recover the entire database or they did but didn't yet sent their phishing emails to everyone. Perhaps you will receive one in an upcoming batch. Have you checked the email today if there is any spam?
hero member
Activity: 1386
Merit: 599
The worst thing is that the emails were sent from an official Trezor email address - [email protected].
Are you sure it's the exact same official email address and not something nearly identical but hidden with punycodes and coming from different source?

Congrats on being selected as one of the ''lucky'' winners from everyone who applied for trezor newsletter... I was not that ''lucky''.  Tongue

I definitely wouldn't call it being a winner or lucky it's called being phished lol. I know that trezor officially recognized this email scam tactic and was pretty proactive with how they handled this scam. Is anyone else under that impression??? Certainly Trezor needs to uphold their reputation, from what I can see they have been very transparent. What I am not liking is info I saw recently from a hacker forum that explained Trezor gets notifications when and how you use your devices with them  Huh
legendary
Activity: 2212
Merit: 7064
The worst thing is that the emails were sent from an official Trezor email address - [email protected].
Are you sure it's the exact same official email address and not something nearly identical but hidden with punycodes and coming from different source?

Congrats on being selected as one of the ''lucky'' winners from everyone who applied for trezor newsletter... I was not that ''lucky''.  Tongue
legendary
Activity: 2730
Merit: 7065
Yeah, Trezor has suffered a second data breach on 24 January. It's again an issue with a 3rd-party. This time, it was their email service provider that got hacked and scammers sent out phishing emails. As dkbit98 mentioned, the users who signed up for their newsletters are affected. The worst thing is that the emails were sent from an official Trezor email address - [email protected].

What's next Huh
legendary
Activity: 2212
Merit: 7064




This is what is popping up now when you open Trezor Suite app, they are warning users about unsolicited emails asking for customer sensitive information.

With this pop up trezor is sending link to recent blog article with detailed explanations, and if you ever signed up for Trezor newsletter you can expect to receive one of this emails.
And there is a lame apologize from Trezor in the end  Tongue

Quote
We apologize for any concern this may have caused you.
https://blog.trezor.io/trezor-security-alert-stay-vigilant-against-an-unauthorized-email-and-continued-phishing-attacks-1b4982c2f53c


hero member
Activity: 462
Merit: 767
Instant cryptocurrency exchange with own reserves!
Even though they have regained access to their support center, the hacker still has a chance to use email spoofing and send emails to those Trezor users and try various hacking attempts like sending malware and asking them to download, or asking them to use new web portal which could be phishing and numerous more methods they may try. There are still a few percentage of people who might believe those emails and try those things.

This is exactly what has started to happen now. Check this thread for more information    
[Warning] Trezor users are receiving fake emails with phishing links.. We knew from the beginning that if a hacker had the list of the users, he would make various scam attempts including sending emails and asking them to do various things. In this case, the hacker sends users an email to upgrade their network, otherwise, the users will lose their funds. LOL. What a lame excuse! I wish no one falls for this scam attempt. But as I said, we will never know if some average Joe who has a Trezor wallet may fall for this scam. I hope everyone stays safe and does not fall for it.
legendary
Activity: 2212
Merit: 7064
Protonmail provides privacy features such as creating alias, verifying the link before receiving, and better filters for messages, so purchasing the paid service and using alias for each service will provide you with a good solution.
Proton charges for using their alias feature, but I found one great alternative that can be used for free with some limitation, and you can pay to have more of them.
Anyone interested can contact me if they want ref link, but you don't have to buy anything Wink

Apart from lost packages, I'd go with creating a thread on their forum instead.
Or ask them directly in twitter, reddit and other places where they are active in providing some type of support.

If what Trezor said was true, you shouldn't get any unless you contacted customer support starting from December 2021 and up until a few days ago.
I never contacted customer support for any hardware wallet, and I am considering any email message I received as potential phishing attack.

I just got very suspicious mail from trezor.io
This is 100% a scam.
Report as spam and ignore.
Other scammers unrelated with this hack will try to use this situation and send emails to everyone.
sr. member
Activity: 328
Merit: 250
Hi,

I just got very suspicious mail from trezor.io





it says:

Dear customer.

This email is to let you know your wallet assets are undergoing a upgrade.

In an effort to upgrade our infrastructure we are temporarily disabling the following networks:

BTC, ETH, XRP, ERC20, BEP20, TRON, TRC20
We are requiring action from our users to re-enable the networks.

Important: Failure to upgrade your networks could result to full funds loss

legendary
Activity: 2730
Merit: 7065
I never received any phishing emails from fake trezor yet, but I learned my lesson with ledger.
If what Trezor said was true, you shouldn't get any unless you contacted customer support starting from December 2021 and up until a few days ago.

I don't see any good reason to contact trezor support, unless there was a lost package, device stopped working or something similar.
Those are the usual topics of discussion. However, I am sure there are people who have a question or two they want to clear with the support before ordering their product. I honestly can't remember the reason I spoke with them. But one of my emails is apparently on the list. I guess it's a good time to check my Will Hardware Wallet Manufacturers Leak Customer’s Email Data topic and see if there is something there that shouldn't be.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
I don't see any good reason to contact trezor support, unless there was a lost package, device stopped working or something similar.
Apart from lost packages, I'd go with creating a thread on their forum instead.

To my knowledge Trezor only holds onto customer ordering info for up to 30 or 90 days I can't remember which.
It's 90 days but they "only anonymize it", as opposed to deleting it [I got mixed feelings about it]!
- It's worth noting that the issue we're facing at the moment is about their customer support data (the above data that you were referring to wasn't affected).
legendary
Activity: 2702
Merit: 4002
Protonmail provides privacy features such as creating alias, verifying the link before receiving, and better filters for messages, so purchasing the paid service and using alias for each service will provide you with a good solution.


To my knowledge Trezor only holds onto customer ordering info for up to 30 or 90 days I can't remember which. I am curious to see what happens to their reputation if anything as a result of this hack. It appears that it was largely outside of their control seeing as one of their third party vendors was hacked and they were not directly hacked.
It is useless when your data may be shared with third parties. These third parties may have a different privacy policy and may keep your data for years, and there is no provision that requires Trezor to contact the third parties to delete your data within 90 days.
hero member
Activity: 1386
Merit: 599


Why does Trezor retain customer data from December 2021, and what is their need for this data, since the user does not interact with the company directly after purchasing the devices?
It's not Trezor's data. It belongs to the 3rd-party service they use for the customer support portal. Their TOS and Privacy Policy will shed more light on how long they retain customer information.
[/quote]

To my knowledge Trezor only holds onto customer ordering info for up to 30 or 90 days I can't remember which. I am curious to see what happens to their reputation if anything as a result of this hack. It appears that it was largely outside of their control seeing as one of their third party vendors was hacked and they were not directly hacked.
legendary
Activity: 2212
Merit: 7064
I never received any phishing emails from fake trezor yet, but I learned my lesson with ledger.
Always use new email address or alias for each service, and always try to purchase something locally with cash and without writing any personal info, or use anonymous lockers for delivery.
I don't see any good reason to contact trezor support, unless there was a lost package, device stopped working or something similar.

This is one of the reasons why DIY devices like Krux and Seedsigner are getting more and more popularity, but you can get phishing attacks with anything.
I know a guy who recently received phishing viber message telling him that his ''package'' arrived and he needs to contact (fake) post office to pick it up.  Tongue
legendary
Activity: 2730
Merit: 7065
Here's that same bullshit again. Why store personal data (email addresses and names/usernames) for years?
There are probably laws and regulations requiring businesses to store client information for some time. I have no expertise in these areas to be able to answer that question probably. But each country has their own laws. Each regulator its own regulations and restrictions.  

Some weird hacker. Does he write each letter manually and send it manually? Could this not be automated?
Maybe he did. What makes you think he writes a unique email for each potential victim? Is it the huge difference between the allegedly affected individuals (66,000) and the 41 emails that Trezor mentioned they know were sent?

One of their Reddit mods [@kaacaSL] mentioned "maximally 8 phone numbers could have been compromised" as well [unfortunately].
So the numbers are increasing slowly. Hopefully, it doesn't turn into a huge affair, much bigger than what was originally thought.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
- The leaked data involves email addresses and names/usernames used.
One of their Reddit mods [@kaacaSL] mentioned "maximally 8 phone numbers could have been compromised" as well [unfortunately].

Here is an example of the phishing email that customers received from the hacker:
https://www.talkimg.com/images/2024/01/20/kawNg.jpeg
And "here's" a different attempt by the hacker.
- The previous version probably wasn't that successful.
legendary
Activity: 1792
Merit: 1296
Crypto Casino and Sportsbook
- The hack affected users who may have been in contact with Trezor customer support since December 2021.
- It's believed that up to 66,000 users may have been affected.
- The leaked data involves email addresses and names/usernames used.
Here's that same bullshit again. Why store personal data (email addresses and names/usernames) for years? In anticipation that one day they will be kidnapped like this time? Trezor went through this stage and reduced the storage period for customer information to 3 months. In order for their partners to understand this and introduce adjustments to their behavior policies, did they necessarily need to screw up themselves? Now users ("up to 66,000 users") will have to carefully scrutinize every email so as not to run into phishing attacks due to their ("trezor's third-party support ticketing portal") stupidity.

- The hacker already contacted 41 users and requested they email him their seeds to "check the firmware version on their device."
Some weird hacker. Does he write each letter manually and send it manually? Could this not be automated?

What now?
Nothing changes. Never enter your seed or send it to anyone, no matter who asks. Think before you do anything that might compromise you and your funds.
That's right, nothing changes. When providing any information about yourself, even to trusted service providers, be prepared that they will leak your data. Necessarily. It's only a matter of time. And a reasonable question arises: are they not abusing the requirements to provide information from buyers every time?

Ways to protect yourself from the consequences of this:
- Use a new email address each time only for a specific service provider, don't provide any of your personal data, as far as possible. And of course, don’t fall for phishing.
hero member
Activity: 462
Merit: 767
Instant cryptocurrency exchange with own reserves!
Pretty much what Learn Bitcoin said. The problem isn't the phishing attack per se; I mean, it really sucks if someone fell for that, but they can't have missed the many warnings. (If I recall correctly, once the seed is generated, it displays a "Never share it with anyone" message)
Unfortunately, only a few percentage of these users are on the crypto forum or follow the blog websites. Most people come online just to heck their social media. No matter how many times we write these warnings, still there will be users who haven't seen our discussion and the warnings posted on the internet. You and I know what we should avoid, but we cannot expect everyone to be veteran crypto users. A lof us still get confused when we receive phishing emails.

The hacker doesn't necessarily have the information of 66,000 Trezor users. They have information on (according to reports) a maximum of 66.000 users that contacted Trezor support from December 2021. Many of them are surely owners of their hardware wallets, other's could be interested parties, like you and me, who sent an email and asked for information or clarification on some points.
I understand that. Maybe the hacker didn't backup the list of users and emails. Or maybe he wasn't able to collect all the information. Or maybe he has 50K emails and usernames. We never know, right? So, let's assume all the data available on their support center was leaked.
Pages:
Jump to: