Trezor discloses phishing attack impacting 66,000 users

Crypto hardware wallet manufacturer Trezor has disclosed a potential data breach impacting up to 66,000 users who contacted their customer support since December 2021.

🚨Security Alert 🚨

On January 17, 2024, the third-party support ticketing portal we use encountered unauthorized access.

Potentially impacted data are limited to user emails and names/nicknames that contacted our customer support team.

We want to assure you that this does not… pic.twitter.com/hnxBYBlvlO

— Trezor (@Trezor) January 20, 2024

An unauthorized individual accessed Trezor’s third-party customer support ticketing system on January 17, potentially exposing user names/nicknames and email addresses. Trezor claims that this potential breach only occurred “at the level of that third-party service provider” they are currently engaged with.

Trezor stated they have yet to receive definitive confirmation from the third-party vendor regarding the extent of the breach. However, out of caution, Trezor emailed notifications to all 66,000 users with contact information compromised. The disclosure to possibly affected users was released within an hour of the company’s vulnerability notification. Trezor also directly contacted 41 users who received phishing emails from the attacker requesting sensitive recovery seed information.

While no funds have been compromised, Trezor warned users to remain vigilant against potential phishing attempts to steal wallet recovery seeds.

“We want to stress that none of our users’ funds have been compromised through this incident. Your Trezor device remains as secure today, as it was yesterday,” said the company.

Dependency on third-party vendors presents inherent security risks, an issue Trezor said they are addressing in light of this incident. Users are advised to avoid entering recovery seeds outside of the Trezor hardware device and to remain cautious of unsolicited communications requesting sensitive information. Trezor devices themselves remain secure.

Phishing employs social engineering techniques to gain access to sensitive personal data. Attackers carefully study their targets to create authentic-looking messages, often replicating logos and communications from legitimate organizations. 

One recent example is the SEC’s fake tweet on January 9, 2024, which created a false initial confirmation of the spot Bitcoin ETF. The incident was confirmed by X, corroborating claims from SEC Chairman Gary Gensler, who said it resulted from compromised access to the account. 

Phishing scams use clever technical tricks to seem real. Fake websites copy the look of real ones to fool people. Emails disguise who they are really from. Links and attachments secretly download harmful software. Even vigilant internet users can miss these signs. The combination of social manipulation and technical disguises makes phishing a common online threat. Staying alert protects against getting tricked.

Well-crafted phishing messages urgently request sensitive information or prompt users to click links to fake websites. By manipulating psychological factors like trust, reciprocation, and fear, such attacks exploit unaware victims.