Author

Topic: Trezor's 3rd-Party Support Portal was Hacked (Read 376 times)

legendary
Activity: 2730
Merit: 7065
January 31, 2024, 11:10:56 AM
#27
@PrivacyG
I guess you received the one that came from the official Trezor email handle telling you that your assets are being upgraded and that you need to confirm your holdings by entering your seed phrase. Even though it came from Trezor's official email, anyone asking for your seed and private keys should immediately ring all kinds of red alarms on the user's end. Most hardware wallet users should have enough knowledge to know this. Trezor now has a big red notification in its Trezor Suite informing all users about the phishing emails and importance of not sharing sensitive data with anyone.
legendary
Activity: 882
Merit: 1873
Crypto Swap Exchange
I fear that this is only the start of a long campaign in draining the funds of users that were both unaware of this 3rd-party support portal hack and are not that savvy in what concerns their devices and best security practices...
Holy Moly.  I received a message from Trezor too and it seemed legitimate at first.  Being a little bit tech savvy though I quickly realized it can not be real and ignored it.  But this can easily fool the regular person using Trezor or Bitcoin, all it takes is them having trust in the Trezor team.

Trezor should add multiple warnings in the boxes of their products.  They should make it clear to every body that Private Keys and Seeds should NEVER be given away even to the Support team of Trezor or it may lead to loss of funds.  Even after so many years, too many people STILL do not understand this.

Hell.  I would add such a warning on the boot screen too and particularly on the Seed Phrase paper.  Bold text on red background, make them notice the warning before attempting any thing stupid.
legendary
Activity: 1148
Merit: 3117
And it seems that a batch of new e-mails were sent to some customers notifying them of an upgrade to their assets[1]. It looks like a more ellaborated scam attempt than we usually see per Reddit comments:
Quote
Not just the signature (that isn't usually perceived by "normal" users), but even the link the scam was pointing to was legit. First thing you would check about is the links, but the link were legit, so this could have fooled a bunch of people.. if you know how it works (hence I did), you come to a conclusion: wow, this is a phishing email, but everything in the email is legit, a scammer can't do that without hacking the backend (or obtaining access to the platform).. and you come here on Reddit to check. But what about the other thousands people out there, they may easily fall for it, because the contents (maybe not the spell) were all legit.
I fear that this is only the start of a long campaign in draining the funds of users that were both unaware of this 3rd-party support portal hack and are not that savvy in what concerns their devices and best security practices...

[1]https://teddit.zaggy.nl/r/TREZOR/comments/19enqtd/security_alert_weve_detected_an_unauthorized/
legendary
Activity: 2730
Merit: 7065
Are you sure it's the exact same official email address and not something nearly identical but hidden with punycodes and coming from different source?
It's from their email provider. The service handling their emails got hacked. I don't know why that's something they would outsource to a third party, and why they couldn't have handled that themselves in-house. But like with anything, companies only change when shit happens.

Congrats on being selected as one of the ''lucky'' winners from everyone who applied for trezor newsletter... I was not that ''lucky''.  Tongue
I guess the hackers didn't recover the entire database or they did but didn't yet sent their phishing emails to everyone. Perhaps you will receive one in an upcoming batch. Have you checked the email today if there is any spam?
hero member
Activity: 1386
Merit: 599
The worst thing is that the emails were sent from an official Trezor email address - [email protected].
Are you sure it's the exact same official email address and not something nearly identical but hidden with punycodes and coming from different source?

Congrats on being selected as one of the ''lucky'' winners from everyone who applied for trezor newsletter... I was not that ''lucky''.  Tongue

I definitely wouldn't call it being a winner or lucky it's called being phished lol. I know that trezor officially recognized this email scam tactic and was pretty proactive with how they handled this scam. Is anyone else under that impression??? Certainly Trezor needs to uphold their reputation, from what I can see they have been very transparent. What I am not liking is info I saw recently from a hacker forum that explained Trezor gets notifications when and how you use your devices with them  Huh
legendary
Activity: 2212
Merit: 7064
The worst thing is that the emails were sent from an official Trezor email address - [email protected].
Are you sure it's the exact same official email address and not something nearly identical but hidden with punycodes and coming from different source?

Congrats on being selected as one of the ''lucky'' winners from everyone who applied for trezor newsletter... I was not that ''lucky''.  Tongue
legendary
Activity: 2730
Merit: 7065
Yeah, Trezor has suffered a second data breach on 24 January. It's again an issue with a 3rd-party. This time, it was their email service provider that got hacked and scammers sent out phishing emails. As dkbit98 mentioned, the users who signed up for their newsletters are affected. The worst thing is that the emails were sent from an official Trezor email address - [email protected].

What's next Huh
legendary
Activity: 2212
Merit: 7064




This is what is popping up now when you open Trezor Suite app, they are warning users about unsolicited emails asking for customer sensitive information.

With this pop up trezor is sending link to recent blog article with detailed explanations, and if you ever signed up for Trezor newsletter you can expect to receive one of this emails.
And there is a lame apologize from Trezor in the end  Tongue

Quote
We apologize for any concern this may have caused you.
https://blog.trezor.io/trezor-security-alert-stay-vigilant-against-an-unauthorized-email-and-continued-phishing-attacks-1b4982c2f53c


hero member
Activity: 462
Merit: 767
Instant cryptocurrency exchange with own reserves!
Even though they have regained access to their support center, the hacker still has a chance to use email spoofing and send emails to those Trezor users and try various hacking attempts like sending malware and asking them to download, or asking them to use new web portal which could be phishing and numerous more methods they may try. There are still a few percentage of people who might believe those emails and try those things.

This is exactly what has started to happen now. Check this thread for more information    
[Warning] Trezor users are receiving fake emails with phishing links.. We knew from the beginning that if a hacker had the list of the users, he would make various scam attempts including sending emails and asking them to do various things. In this case, the hacker sends users an email to upgrade their network, otherwise, the users will lose their funds. LOL. What a lame excuse! I wish no one falls for this scam attempt. But as I said, we will never know if some average Joe who has a Trezor wallet may fall for this scam. I hope everyone stays safe and does not fall for it.
legendary
Activity: 2212
Merit: 7064
Protonmail provides privacy features such as creating alias, verifying the link before receiving, and better filters for messages, so purchasing the paid service and using alias for each service will provide you with a good solution.
Proton charges for using their alias feature, but I found one great alternative that can be used for free with some limitation, and you can pay to have more of them.
Anyone interested can contact me if they want ref link, but you don't have to buy anything Wink

Apart from lost packages, I'd go with creating a thread on their forum instead.
Or ask them directly in twitter, reddit and other places where they are active in providing some type of support.

If what Trezor said was true, you shouldn't get any unless you contacted customer support starting from December 2021 and up until a few days ago.
I never contacted customer support for any hardware wallet, and I am considering any email message I received as potential phishing attack.

I just got very suspicious mail from trezor.io
This is 100% a scam.
Report as spam and ignore.
Other scammers unrelated with this hack will try to use this situation and send emails to everyone.
sr. member
Activity: 328
Merit: 250
Hi,

I just got very suspicious mail from trezor.io





it says:

Dear customer.

This email is to let you know your wallet assets are undergoing a upgrade.

In an effort to upgrade our infrastructure we are temporarily disabling the following networks:

BTC, ETH, XRP, ERC20, BEP20, TRON, TRC20
We are requiring action from our users to re-enable the networks.

Important: Failure to upgrade your networks could result to full funds loss

legendary
Activity: 2730
Merit: 7065
I never received any phishing emails from fake trezor yet, but I learned my lesson with ledger.
If what Trezor said was true, you shouldn't get any unless you contacted customer support starting from December 2021 and up until a few days ago.

I don't see any good reason to contact trezor support, unless there was a lost package, device stopped working or something similar.
Those are the usual topics of discussion. However, I am sure there are people who have a question or two they want to clear with the support before ordering their product. I honestly can't remember the reason I spoke with them. But one of my emails is apparently on the list. I guess it's a good time to check my Will Hardware Wallet Manufacturers Leak Customer’s Email Data topic and see if there is something there that shouldn't be.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
I don't see any good reason to contact trezor support, unless there was a lost package, device stopped working or something similar.
Apart from lost packages, I'd go with creating a thread on their forum instead.

To my knowledge Trezor only holds onto customer ordering info for up to 30 or 90 days I can't remember which.
It's 90 days but they "only anonymize it", as opposed to deleting it [I got mixed feelings about it]!
- It's worth noting that the issue we're facing at the moment is about their customer support data (the above data that you were referring to wasn't affected).
legendary
Activity: 2744
Merit: 4065
Protonmail provides privacy features such as creating alias, verifying the link before receiving, and better filters for messages, so purchasing the paid service and using alias for each service will provide you with a good solution.


To my knowledge Trezor only holds onto customer ordering info for up to 30 or 90 days I can't remember which. I am curious to see what happens to their reputation if anything as a result of this hack. It appears that it was largely outside of their control seeing as one of their third party vendors was hacked and they were not directly hacked.
It is useless when your data may be shared with third parties. These third parties may have a different privacy policy and may keep your data for years, and there is no provision that requires Trezor to contact the third parties to delete your data within 90 days.
hero member
Activity: 1386
Merit: 599


Why does Trezor retain customer data from December 2021, and what is their need for this data, since the user does not interact with the company directly after purchasing the devices?
It's not Trezor's data. It belongs to the 3rd-party service they use for the customer support portal. Their TOS and Privacy Policy will shed more light on how long they retain customer information.
[/quote]

To my knowledge Trezor only holds onto customer ordering info for up to 30 or 90 days I can't remember which. I am curious to see what happens to their reputation if anything as a result of this hack. It appears that it was largely outside of their control seeing as one of their third party vendors was hacked and they were not directly hacked.
legendary
Activity: 2212
Merit: 7064
I never received any phishing emails from fake trezor yet, but I learned my lesson with ledger.
Always use new email address or alias for each service, and always try to purchase something locally with cash and without writing any personal info, or use anonymous lockers for delivery.
I don't see any good reason to contact trezor support, unless there was a lost package, device stopped working or something similar.

This is one of the reasons why DIY devices like Krux and Seedsigner are getting more and more popularity, but you can get phishing attacks with anything.
I know a guy who recently received phishing viber message telling him that his ''package'' arrived and he needs to contact (fake) post office to pick it up.  Tongue
legendary
Activity: 2730
Merit: 7065
Here's that same bullshit again. Why store personal data (email addresses and names/usernames) for years?
There are probably laws and regulations requiring businesses to store client information for some time. I have no expertise in these areas to be able to answer that question probably. But each country has their own laws. Each regulator its own regulations and restrictions.  

Some weird hacker. Does he write each letter manually and send it manually? Could this not be automated?
Maybe he did. What makes you think he writes a unique email for each potential victim? Is it the huge difference between the allegedly affected individuals (66,000) and the 41 emails that Trezor mentioned they know were sent?

One of their Reddit mods [@kaacaSL] mentioned "maximally 8 phone numbers could have been compromised" as well [unfortunately].
So the numbers are increasing slowly. Hopefully, it doesn't turn into a huge affair, much bigger than what was originally thought.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
- The leaked data involves email addresses and names/usernames used.
One of their Reddit mods [@kaacaSL] mentioned "maximally 8 phone numbers could have been compromised" as well [unfortunately].

Here is an example of the phishing email that customers received from the hacker:
https://www.talkimg.com/images/2024/01/20/kawNg.jpeg
And "here's" a different attempt by the hacker.
- The previous version probably wasn't that successful.
legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook
- The hack affected users who may have been in contact with Trezor customer support since December 2021.
- It's believed that up to 66,000 users may have been affected.
- The leaked data involves email addresses and names/usernames used.
Here's that same bullshit again. Why store personal data (email addresses and names/usernames) for years? In anticipation that one day they will be kidnapped like this time? Trezor went through this stage and reduced the storage period for customer information to 3 months. In order for their partners to understand this and introduce adjustments to their behavior policies, did they necessarily need to screw up themselves? Now users ("up to 66,000 users") will have to carefully scrutinize every email so as not to run into phishing attacks due to their ("trezor's third-party support ticketing portal") stupidity.

- The hacker already contacted 41 users and requested they email him their seeds to "check the firmware version on their device."
Some weird hacker. Does he write each letter manually and send it manually? Could this not be automated?

What now?
Nothing changes. Never enter your seed or send it to anyone, no matter who asks. Think before you do anything that might compromise you and your funds.
That's right, nothing changes. When providing any information about yourself, even to trusted service providers, be prepared that they will leak your data. Necessarily. It's only a matter of time. And a reasonable question arises: are they not abusing the requirements to provide information from buyers every time?

Ways to protect yourself from the consequences of this:
- Use a new email address each time only for a specific service provider, don't provide any of your personal data, as far as possible. And of course, don’t fall for phishing.
hero member
Activity: 462
Merit: 767
Instant cryptocurrency exchange with own reserves!
Pretty much what Learn Bitcoin said. The problem isn't the phishing attack per se; I mean, it really sucks if someone fell for that, but they can't have missed the many warnings. (If I recall correctly, once the seed is generated, it displays a "Never share it with anyone" message)
Unfortunately, only a few percentage of these users are on the crypto forum or follow the blog websites. Most people come online just to heck their social media. No matter how many times we write these warnings, still there will be users who haven't seen our discussion and the warnings posted on the internet. You and I know what we should avoid, but we cannot expect everyone to be veteran crypto users. A lof us still get confused when we receive phishing emails.

The hacker doesn't necessarily have the information of 66,000 Trezor users. They have information on (according to reports) a maximum of 66.000 users that contacted Trezor support from December 2021. Many of them are surely owners of their hardware wallets, other's could be interested parties, like you and me, who sent an email and asked for information or clarification on some points.
I understand that. Maybe the hacker didn't backup the list of users and emails. Or maybe he wasn't able to collect all the information. Or maybe he has 50K emails and usernames. We never know, right? So, let's assume all the data available on their support center was leaked.
legendary
Activity: 2730
Merit: 7065
Trezor claims that no one was affected but approximately 66000 users' email and nicknames were leaked. This means the hacker has a list of 66000 Trezor users and he will surely try to use those emails to do something.
The hacker doesn't necessarily have the information of 66,000 Trezor users. They have information on (according to reports) a maximum of 66.000 users that contacted Trezor support from December 2021. Many of them are surely owners of their hardware wallets, other's could be interested parties, like you and me, who sent an email and asked for information or clarification on some points.

Trezor stated that they still don't have information if there were any victims, but they know of 41 phishing emails that were sent out. That was the information that was available when I created this thread.

hacker was able to develop a fake Trezor Suite App and ask users to download it, connect their wallets, and then steal it easily.
They didn't develop a fake app. This is a phishing scheme. A social engineering attempt to get you to email them the seed.

Why does Trezor retain customer data from December 2021, and what is their need for this data, since the user does not interact with the company directly after purchasing the devices?
It's not Trezor's data. It belongs to the 3rd-party service they use for the customer support portal. Their TOS and Privacy Policy will shed more light on how long they retain customer information.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Pretty much what Learn Bitcoin said. The problem isn't the phishing attack per se; I mean, it really sucks if someone fell for that, but they can't have missed the many warnings. (If I recall correctly, once the seed is generated, it displays a "Never share it with anyone" message)

The problem is, for once more, the data the hacker possesses right now. That email and name list will sooner or later be sold at Breached or some other corner of the darknet, and there will be victims.
legendary
Activity: 1596
Merit: 1288
I am surprised that despite the hacker's efforts to access the basic system and some sensitive data, including the email address, he exploits it in a trick to send seeds. hacker was able to develop a fake Trezor Suite App and ask users to download it, connect their wallets, and then steal it easily.
Why does Trezor retain customer data from December 2021, and what is their need for this data, since the user does not interact with the company directly after purchasing the devices?
hero member
Activity: 462
Merit: 767
Instant cryptocurrency exchange with own reserves!
I have just checked the post by Trezor and came to this board to see if this was posted or not. It's surprising how these crypto hacks continue. Even though it wasn't the Trezor but the 3rd party support center they use, still it's alarming. Trezor claims that no one was affected but approximately 66000 users' email and nicknames were leaked. This means the hacker has a list of 66000 Trezor users and he will surely try to use those emails to do something.

Even though they have regained access to their support center, the hacker still has a chance to use email spoofing and send emails to those Trezor users and try various hacking attempts like sending malware and asking them to download, or asking them to use new web portal which could be phishing and numerous more methods they may try. There are still a few percentage of people who might believe those emails and try those things.
legendary
Activity: 2730
Merit: 7065
If someone has move from software wallet to a hardware like trezor I believe he/she most have know the pros and cons or does and don't of wallets. So from my perspective I don't want to believe that someone would fall for this simple trick of sending your passphrase to anyone.
It sometimes amazes me what kind of cheap tricks people fall for. It's things like giving scammers their seeds and private keys by entering them in a phishing site that is on top of the list. It still works, and scammers still make money that way. In other cases, it's carelessness or tiredness that causes people to commit mistakes and not notice what they are doing.

Even before you could finish setting up your trezor wallets passphrase there is a caution that says "do not give out your passphrase to anyone it's your private property." That should be enough warning except for the fact that it was targeted on users who might have been offline.
Don't mistake the recovery phrase/seed for the passphrase. Those are two completely different things. Trezor surely cautions you not to give out the recovery phrase. The passphrase is an advanced and optional security feature that you can set up if you want, but it's not a requirement to do so. Due to Trezor's unfixable seed extraction vulnerability, it's recommended to have one or multiple passphrases set up.   
member
Activity: 66
Merit: 5
Eloncoin.org - Mars, here we come!
What now?
Nothing changes. Never enter your seed or send it to anyone, no matter who asks. Think before you do anything that might compromise you and your funds.

If someone has move from software wallet to a hardware like trezor I believe he/she most have know the pros and cons or does and don't of wallets. So from my perspective I don't want to believe that someone would fall for this simple trick of sending your passphrase to anyone. Even before you could finish setting up your trezor wallets passphrase there is a caution that says "do not give out your passphrase to anyone it's your private property." That should be enough warning except for the fact that it was targeted on users who might have been offline.
legendary
Activity: 2730
Merit: 7065
Trezor has just informed the public that there was a security incident on 17 January 2024 that affected their third-party support ticketing portal. Someone gained access to the platform and certain sensitive data.

Here is what is known so far:

- The hack DID NOT compromise the hardware wallets or seeds of users in any way.
- Trezor was not hacked. A third-party service they use was compromised.
- The hack affected users who may have been in contact with Trezor customer support since December 2021.
- It's believed that up to 66,000 users may have been affected.
- The leaked data involves email addresses and names/usernames used.
- The hacker already contacted 41 users and requested they email him their seeds to "check the firmware version on their device."

Trezor has already started contacting the 66,000 users they believe may have been affected. If you are among those, expect an email from [email protected] today or tomorrow.

Here is an example of the phishing email that customers received from the hacker:


What now?
Nothing changes. Never enter your seed or send it to anyone, no matter who asks. Think before you do anything that might compromise you and your funds.


You can read a detailed report on the security incident on the Trezor blog:
https://blog.trezor.io/trezor-security-update-stay-vigilant-against-potential-phishing-attack-bb05015a21f8
Jump to: