|
Title: Another data leak from Mailchimp, wallet affected? NEAR Post by: PawGo on January 19, 2023, 07:55:31 AM Mailchimp, company which manages newsletters and mailing lists has one more problem (the same each time, I would say). They confirmed they had another leak:
https://mailchimp.com/january-2023-security-incident/ Mailchimp is used by many companies which are lazy enough to create/use their own mailing system and recently many users had received emails like that: [you have been warned] Quote NEAR Web Wallet Security Update Hello NEAR community, We are reaching out to notify you of a security incident at Mailchimp that may have impacted members of the NEAR ecosystem. On Thursday January 12th, Mailchimp, one of our external email management tools, notified us that as a result of a breach of Mailchimp’s systems, an unauthorized actor accessed a Mailchimp account. We are contacting you because your email address is stored in this affected Mailchimp instance. According to Mailchimp, this breach only involved email addresses and did not include breach of passwords or credit card data. Based on Mailchimp’s public disclosure on January 13th, at least 133 Mailchimp accounts across its platform were affected in a broader incident targeting the Mailchimp platform. Mailchimp’s related blog post can be read here. At the current time, Mailchimp has been unable to confirm whether the email address data in the affected Mailchimp instance was downloaded. However, out of an abundance of caution, we wanted to flag this breach to the NEAR community. It is important to note that we do not store data that could be used to compromise NEAR wallets. We currently have no reason to believe any information other than email addresses might have been accessed. Regardless, as a precautionary measure, we request that you increase your vigilance regarding possible phishing attempts, and malicious actors could be posing as NEAR or any of its ecosystem partners through email communications. NEAR Foundation, Pagoda and the Wallet team will only send emails from @near.foundation, @near.org or @pagoda.co. Additionally, please note that NEAR will never email you asking to make transactions or soliciting your business. We will never ask for your password or private key, promote airdrops of $NEAR or other tokens associated with the NEAR ecosystem, or solicit any type of payment or request to sell your digital assets. To ensure NEAR ecosystem user security and privacy, Our security team is continuing to work with Mailchimp in its investigation. We will keep you updated as Mailchimp’s investigation continues to unfold. As always, we hope you are currently observing and will continue to observe careful measures with the security of your wallet. Here is a list of best practices as it pertains to self-custody wallets. Best Practices for Self-Custody Wallets Utilize a mixture of hot and cold wallets—hot wallets are connected to the internet, cold wallets are not. Choose a hot wallet strictly for smaller, convenient NEAR transactions Do not store all of your tokens in a hot wallet Utilize a hardware wallet, such as a Ledger, to store tokens and make larger transactions. Ensure you are utilizing the right URL for your wallet. Inspect links for correct URLs before clicking. Avoid wallet names that contain identifying information, such as names or email addresses. Use a private browser session for wallet transactions, disabling third-party plugins. Check transactions before you sign or approve them. Never connect your NEAR wallet or click-through unsolicited links. Never store your recovery phrases for wallets with significant tokens in password managers, emails, or on a computer that may be connected to the internet. Only interact with NEAR Foundation via official channels. Our social media accounts, Discord, and Telegram channels can be found at https://near.org/ecosystem/community/. Our official accounts are verified and have the verification marks. Be suspicious of unofficial channels and offers that appear to be too good to be true. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: Yogee on January 19, 2023, 03:19:58 PM It's good that they're pro-active about the incident. I just find it funny how a protocol that preaches about decentralization is issuing a warning about a failure of a centralized service they used. Not that they are truly a decentralized platform but yes it does sound odd to me hehe.
Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: ryzaadit on January 19, 2023, 05:46:56 PM It's just like "Email" list leaked.
If you are smart and already aware of handling your wallet. Ignoring any wallet in your "Inbox" would be a good option, most the time if there has some case like this you just gonna to be target "Phising & Malware". So, never put any information or download a software from your "Email. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: Bitstar_coin on January 19, 2023, 07:44:44 PM Unfortunately those who are not security conscious and unaware of what to look for or how to identify phishing mails will just fall victim.
How come these leaked mail incidents keeps popping up too often lately. This is just not looking good, I hope this won't cause damage to those involved. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: so98nn on January 19, 2023, 07:54:03 PM Quote It is important to note that we do not store data that could be used to compromise NEAR wallets. We currently have no reason to believe any information other than email addresses might have been accessed. Now this is very important point from them! Thank God they have made good security layers as to keep everything safe and in one place. Only email addresses were stolen which is good thing. I don't think there is any data is associated with email addresses that can be stolen and which goes in the sensitive sense. More or less we can safely say that it is nothing much but data leak as titled stated. However, as per business point of view, this is gonna hurt NEAR peeps because they might see it as unsafe to keep the funds on that wallet. Let us hope they do not put it into no trust list just right away. However it is advisable funds shall be temp moved to another wallet for higher safety. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: swogerino on January 19, 2023, 08:00:01 PM It's just like "Email" list leaked. If you are smart and already aware of handling your wallet. Ignoring any wallet in your "Inbox" would be a good option, most the time if there has some case like this you just gonna to be target "Phising & Malware". So, never put any information or download a software from your "Email. That is great advice.Scammers always become more and more creative but as the CISSP exam guide (Certified Information Systems Security Practitioner) says that the weakest link in any cybersecurity defense is the human being.With this analogy I want to emphasize what you already suggested,meaning that people clever enough should not click any suspicious link from their email,especially "wallet" things,most of wallets never give you such emails unless explicitly asked by the user and this only with web wallets,desktop wallets like Exodus and many other never send you emails like this. Social engineering which is what is being done here,is a phishing attempt for you to click on the link and put your credentials in some rogue website (incredibly similar to that of Near wallet I assume) and your coins will be gone in no time.Never ever click such links. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: hugeblack on January 19, 2023, 09:06:46 PM I do not know, but once you write your e-mail publicly, it is better to consider that this e-mail may be accessed from other parties, and therefore be careful and carefully read all the messages that reach you.
In general, do not trust that what was leaked is the email only, but rather make you have many passwords and renew them every period of time while following the news to be informed. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: blockman on January 20, 2023, 01:50:41 AM I do not know, but once you write your e-mail publicly, it is better to consider that this e-mail may be accessed from other parties, and therefore be careful and carefully read all the messages that reach you. It's true, that when it's already been published then anyone can see it and have it listed and it spreads like a wildfire on the web until that email of yours is already included in someone's database.I used to receive those fake wallet email notifications but as I know them that will never email me, I don't click those fishy links that says "Click here to recover". Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: Apocollapse on January 20, 2023, 03:32:14 AM How is possible data leak from Mailchimp can affect a wallet?
I don't think there's a user who using Mailchimp email to create their own wallet or using their private email for emailing. Anyone must separate their email, password, phone number etc that they create for wallet or other private account with the email, password, phone number for work or business. If there's a user lost their coins because of this email leak, it's their own fault and careless. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: Dave1 on January 20, 2023, 05:36:28 AM I have the same thread open here mate: Mailchimp hacked again, 133 accounts have been compromised. (https://bitcointalk.org/index.php?topic=5435960.0/)
And as I have said, this is not the first time for Mailchimp to be hacked or breached and yet they still didn't learn their lessons. So be careful maybe there will be spats of phishing email again based on the leaked data. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: vv181 on January 20, 2023, 06:59:06 AM Mailchimp is used by many companies which are lazy enough to create/use their own mailing system and recently many users had received emails like that: Most companies are handling their email deliverability and analytics into other third-party services. I won't call it lazy, but sometimes outsourcing the business requirements are better decision in their favour. Anyway, if we dig into the root causes we should have known better whether a wallet which asks or requests an email is good enough or not. Personally, I don't think it is necessary for a wallet, even a web wallet, to incorporate email as its authentication/recovery option. We should address the root cause, noting that phishing emails are known as one of many ways scammed doing its job, so, things like not using a wallet that requires an email and using an email address more cautiously would be better ways. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: Baofeng on January 22, 2023, 11:42:49 PM Mailchimp is used by many companies which are lazy enough to create/use their own mailing system and recently many users had received emails like that: Most companies are handling their email deliverability and analytics into other third-party services. I won't call it lazy, but sometimes outsourcing the business requirements are better decision in their favour. Yes, this is the main reason why companies hand over in this example their email services to a 3rd party. They outsource it so that it will lessen their burden. But in this case it seems to make it worst for them. Anyway, if we dig into the root causes we should have known better whether a wallet which asks or requests an email is good enough or not. Personally, I don't think it is necessary for a wallet, even a web wallet, to incorporate email as its authentication/recovery option. We should address the root cause, noting that phishing emails are known as one of many ways scammed doing its job, so, things like not using a wallet that requires an email and using an email address more cautiously would be better ways. The root cause for the leak is that the criminals are targeting their employees with phishing attempts. And if they fall on it, then they are now compromise and could get into the system. It has been addressed already by Mailchimp because this is the 3rd time already if I remember correctly. But obviously they have failed as time and time again, they feel victims to this criminals. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: Silberman on January 23, 2023, 04:15:07 AM I do not know, but once you write your e-mail publicly, it is better to consider that this e-mail may be accessed from other parties, and therefore be careful and carefully read all the messages that reach you. It is key to take whatever comes to your email with a grain of salt, and while it is worrying that Mailchimp got a data leak again, for an user that is cautious this should not change anything as if it some point we receive an email claiming that one of our wallets is at risk, we must never follow any link which appears on that email and instead we must go to the official website of our wallet and see if there is any announcement which verifies the claims made on that email.In general, do not trust that what was leaked is the email only, but rather make you have many passwords and renew them every period of time while following the news to be informed. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: klidex on January 23, 2023, 08:26:22 AM It's good that they're pro-active about the incident. I just find it funny how a protocol that preaches about decentralization is issuing a warning about a failure of a centralized service they used. Not that they are truly a decentralized platform but yes it does sound odd to me hehe. They should immediately fix and take responsibility for the incident instead of just giving a warning about the failure of the service.If things like this happen often, no one will believe in their services anymore. In the future, the level of security in any aspect must be further developed, improved and prioritized so that data leaks and breaches do not occur. However, a high and good level of security is the main point that must always be put to the fore. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: Nwada001 on January 23, 2023, 09:09:16 AM It's a good thing that Near team took out time to mail and warned it's users of the leak even as individuals are responsible for their wallet security, precautions where still warned to be taken.
It's just like "Email" list leaked. If you are smart and already aware of handling your wallet. Ignoring any wallet in your "Inbox" would be a good option, most the time if there has some case like this you just gonna to be target "Phising & Malware". So, never put any information or download a software from your "Email. In addition to this Security is just one thing that's never enough. Sometimes email leaking and privacy being compromised don't just happen by downloading softwares from email, sometimes some links which comes through mail that we click on can be as dangerous as one can never imagine, have seen cases like that. Title: Re: Another data leak from Mailchimp, wallet affected? NEAR Post by: vv181 on January 24, 2023, 04:28:38 PM Anyway, if we dig into the root causes we should have known better whether a wallet which asks or requests an email is good enough or not. Personally, I don't think it is necessary for a wallet, even a web wallet, to incorporate email as its authentication/recovery option. We should address the root cause, noting that phishing emails are known as one of many ways scammed doing its job, so, things like not using a wallet that requires an email and using an email address more cautiously would be better ways. The root cause for the leak is that the criminals are targeting their employees with phishing attempts. And if they fall on it, then they are now compromise and could get into the system. It has been addressed already by Mailchimp because this is the 3rd time already if I remember correctly. But obviously they have failed as time and time again, they feel victims to this criminals. I get what causes the leak. I meant we should rethink whether people use a wallet which requires an email address. Well, now that I have tried out the web wallet recently, it seems that the wallet creation process did not require any email. It is just a regular process of generating seed phrases, nothing further. The wallet has a feature to buy via centralized services, but I don't think the wallet keeps the email address if users are using that feature. I don't know specifically which email information is subjected to, maybe it is the near website newsletter or the forum itself. |