Trezor mailing list breached

[Pmalek]

A new day brings about a new breach that has affected users of hardware wallets.  
Trezor has today confirmed that the MailChimp platform for marketing services has been compromised by an insider. Crypto companies were the target of the breach.

Trezor has confirmed that the emails of their users have been obtained. Phishing sites have been created and there are reports of fake emails being sent to Trezor users instructing them to download a new version of the Trezor Suite. The email that is circulating is professionally written and explains how a security incident is the cause of an urgent upgrade. Here is how the phishing emails look.

More info is available here:
https://twitter.com/Trezor/status/1510558771944333312
https://www.reddit.com/r/TREZOR/comments/tv5yn9/we_are_investigating_a_potential_data_breach_of/

Trezor doesn't know the full scope of the attack just yet. Let's hope it's only email addresses and nothing more. The fake emails are being sent from noreply@trezor.us! This is a phishing site, don't download or open anything you get from this domain!
Trezor has confirmed they won't be sending out their newsletters until further notice.

No information about the leak on MailChimp's Twitter feed yet.

Edit: Some new pieces of information:

• Trezor users who have never signed up to any newsletter claim to have received the phishing emails as well.
• According to this reddit post, the fake software that users are instructed to download has a keylogger attached to it.
• Reddit posts warning users about the attack are being downvoted.

[1715284398]

1715284398

[1715284398]

1715284398

[Hispo]

Shame on Trezor, they should have known better before handing over such information of their clients to a third party.

Trezor users who have never signed up to any newsletter claim to have received the phishing emails as well.

Would not that imply that Trezor lied to us when when said they make anonymous client's data after a centain period of time after a purchase?

Implying those e-mails were used to buy a Trezor but were not signed up to the newsletter, of course.

[Pmalek]

Would not that imply that Trezor lied to us when when said they make anonymous client's data after a centain period of time after a purchase?

Implying those e-mails were used to buy a Trezor but were not signed up to the newsletter, of course.

It's unclear how much time has passed after that user allegedly purchased his hardware wallet and received that phishing email. All companies will put their interest in front of their client's. What they say and what they actually do can be two different things. Storing data longer than needed or not deleting it in time is what they will do rather than having Mr. government/tax officer come knocking and requesting data or handing out fines. 

This user claims he lost £55.000 after he received a phishing email. He though it was legit, so he downloaded the fake Trezor software, and INSERTED HIS SEED when requested. No matter how often you hear warnings never to do that, it's obviously not enough.     

[TheBeardedBaby]

Oh not Trezor too. All these hardware wallets had their user data compromised. I got an update notification from the Trezor Suite and I installed the last version yesterday, I hope it's not the case as the Electrum fake update from a few years ago.
I'll check it as soon as I get back home.

[witcher_sense]

Trezor users who have never signed up to any newsletter claim to have received the phishing emails as well.

Interestingly, I have been subscribed to their email list for a while but haven't received any phishing trezor emails; my spam folder is also empty. How do I check if my email address has been compromised or not, especially considering the fact that the haveibeenpwned platform says I am good? Is the list of compromised emails even available to the public?

Would not that imply that Trezor lied to us when when said they make anonymous client's data after a centain period of time after a purchase?

Implying those e-mails were used to buy a Trezor but were not signed up to the newsletter, of course.

The more logical explanation would be that random scammers took advantage of the given situation and started to massively attack each email address known as associated with cryptocurrency activities or hardware wallets purchases. For example, those users whose emails were compromised in the Ledger data breach could also become victims of Trezor phishing attacks.

It could also be that Trezor lied to us and never deleted customers' data.

[Pmalek]

I got an update notification from the Trezor Suite and I installed the last version yesterday, I hope it's not the case as the Electrum fake update from a few years ago.
I'll check it as soon as I get back home.

Unless you downloaded the software from a link you received in your email, you should be fine. The official Trezor Suite software has not been compromised and hopefully won't be. A malware-infected app that also requires you to enter your seed is what is causing all the problems.

You can verify the binaries of your Trezor Suite following this guide. It should be noted that you are downloading everything from Trezor's official download page. Similarly to the way you verify the signatures for Ledger software, you have to trust that what is hosted on the site is genuine and hasn't been compromised.

How do I check if my email address has been compromised or not, especially considering the fact that the haveibeenpwned platform says I am good? Is the list of compromised emails even available to the public?

It's probably to early to tell at this stage. I am sure they are still investigating how many people have been affected. 

[SFR10]

• Trezor users who have never signed up to any newsletter claim to have received the phishing emails as well.

That's not good ^[SMH]! Why did they give those emails to MailChimp ^{[those emails have nothing to do with their newsletter]}?
^{- I'm glad I bought my HW from one of their official resellers.}

• Reddit posts warning users about the attack are being downvoted.

IIRC, there was a way to either disable or hide that feature on each subreddit ^{[they should temporarily do it]}.

This user claims he lost £55.000 after he received a phishing email.  

Another "victim".
List of other domains:

• #1
• #2

[Pmalek]

That's not good ^[SMH]! Why did they give those emails to MailChimp ^{[those emails have nothing to do with their newsletter]}?

Who knows mate. Who knows if the post I read is even true. I am sure some will be happy to get to throw some dirt around and participate in the attack and destruction. Some claims might even be fake.

IIRC, there was a way to either disable or hide that feature on each subreddit ^{[they should temporarily do it]}.

I am not that familiar with reddit to be honest. I do expect that channel moderators have some sort of tag next to their names, right? What I have noticed in all these posts is that I can't see Trezor moderators post anything or reply to user concerns. 

[Charles-Tim]

After running full node, using Tor, the best way to privacy is by not given out your personal data to another party, once it is given out, it is no more private. It is just like once a word left your month, like telling a friend about something, even if it is said to be kept secret, do not be surprised if you hear the secret from a place far from your home or if known to the public. If the word remains to yourself, then it remains perfectly secret. The only way to this type of privacy is by using paper wallet or wallet on airgapped device.

That's not good ^[SMH]! Why did they give those emails to MailChimp ^{[those emails have nothing to do with their newsletter]}?

Any company can do that, any company can sell data, the best is to just know how to go about it, using everything not link to you to purchase hardware wallet (not only Trezor, but all others, they are all the same). Only when you personal data are protected and private is when you have never given it to any company, once you provide a company with your personal data, then it is no more private but public because the company it is given to can be hacked and the data stolen, or the company can give it out or sell it to other companies.

[dkbit98]

If you think that only Trezor emails were breached from Mailchimp hack then you are up for a big surprise soon  
Anything crypto related that you ever signed up could be exposed, so you can expect to receive similar scam emails from exchanges and other wallets.
I received this fake email on my temp email address (that was only used for Trezor newsletter), and I knew it from start that this is a scam, even more when I saw puny code domain address...
Looks like trezor is trying hard to compete with ledger in making bad decisions  

You can read my experience with this trẹzor scam HERE.

[Pmalek]

Trezor's first explanation of the hack has been posed on their blog:
Ongoing phishing attacks on Trezor users

We are already familiar with most of the content in the post, so there is no need to comment on anything in particular.
However, there is one interesting part.

Trezor customer order data is purged after 90 days. The data contained in this leak originates from a separate database secured by a third party.

Hopefully that third-party (MailChimp) only has data on Ledger newsletter recipients and this isn't their way of saying that the 3rd party has access to more than that and stores it for longer periods of time.

[hugeblack]

Trezor customer order data is purged after 90 days. The data contained in this leak originates from a separate database secured by a third party.

I've read the article but I can't find details. Will it update how data is shared with third parties or update it? All they talked about was updating their newsletter.

In general, why is there no password (special character) assigned to each account that is added at the end of each message?
I think that such an update will make it more difficult for the scammers, although I don't think they will delete their database within the 90 days or give proof of that.

[PawGo]

• Trezor users who have never signed up to any newsletter claim to have received the phishing emails as well.

They could have a big problems if GDPR office will audit them. In EU penalty fees sometimes could be insane.

[Pmalek]

haveibeenpwned doesn't mention either Trezor or Mailchimp to their "Recently added breaches" list, so i don't think there's way to know unless you got scam email about trezor wallet/app.

It's still too early for that, and we haven't heard anything about the leaked data being sold online or being posted somewhere publicly. I just took a quick look at their reddit page. Considering the situation, it's positive that they aren't being flooded with new threads from customers complaining about having lost funds due to the emails they received. There are only sporadic mentions of such in some of the older threads.

[worldtraveller321]

so does this mean it would be a bad idea to consider Trezor as a wallet at this time?

[PawGo]

I would rather say it is a bad idea to consider mailchimp as a mass mailing software..

[PrivacyG]

This only makes me wonder how far the information you fill in a website's order form can finally reach.  If users who have never signed up for Trezor's newsletter have received phishing e-mails as well, is it possible that Trezor has been using the same e-mail for both marketing and order confirmations?  Otherwise, maybe they are using the same user database throughout all of their e-mails?

so does this mean it would be a bad idea to consider Trezor as a wallet at this time?

No.  Trezor is still safe.  What may not be safe is how you store your seed and the method you use to acquire your Trezor.  Long as you store your seed properly and use the least amount of real personal information about you when ordering, all should be just fine.  Use a PO Box, a fake e-mail address, a disposable SIM card and if you can a fake name too and you are good to go.  Now you can avoid most of the attacks.

-
Regards,
PrivacyG

[Pmalek]

so does this mean it would be a bad idea to consider Trezor as a wallet at this time?

This leak, unfortunate as it is, does not affect the security of the Trezor hardware wallets or your funds. It does affect your privacy though. If the data gets sold or posted publicly, and it's very likely that one or both of those things will happen, Trezor users will start getting bombarded with phishing and scam emails. They already are to some extent.   

One can only hope that the MailChimp database didn't hold anything else besides email addresses.
It's a bad idea to store data from your costumers with a third-party company. However, even if you store it locally at your own servers, you could still experience the same issues. If you remember the Ledger incident, their client database was hacked both from their own servers and the one that was kept by a third party.

It's a bad idea to have unsatisfied employers have access to computers, software, and servers that hold sensitive information.     

[PrimeNumber7]

This user claims he lost £55.000 after he received a phishing email. He though it was legit, so he downloaded the fake Trezor software, and INSERTED HIS SEED when requested. No matter how often you hear warnings never to do that, it's obviously not enough.    

It has been several years since I purchased my trezor HW wallet, however IIRC, there is clear instructions on the packaging and on the paper backup card to not ever allow the seed to touch a computer. It is unfortunate that this person lost his money, but he also needs to use better judgment.

I received an email from someone claiming to be trezor informing me that my email was part of the breach. It is annoying that my information was leaked, however, I will add it to the list of companies that have leaked my personal information. I have learned that it is best to use a unique, disposable email for each company that I deal with.

It is not a question of if your personal information will be leaked by any company you deal with, it is a question of when.

[Pmalek]

It has been several years since I purchased my trezor HW wallet, however IIRC, there is clear instructions on the packaging and on the paper backup card to not ever allow the seed to touch a computer. It is unfortunate that this person lost his money, but he also needs to use better judgment.

I agree. He became a victim of a phishing attack. The breach and data leak didn't cause the loss of funds. The fact that he entered a seed phrase into a fake wallet that came from an unofficial email address did.

I received an email from someone claiming to be trezor informing me that my email was part of the breach.

Did you subscribe to Trezor's newsletter?

Trezor says that all customer data is purged after 90 days, but you received the phishing email 2 years after your purchase. That means that MailChimp keeps user data for much longer to be able to send new versions of the newsletters (which is logical). I wonder what measures they take once a person unsubscribes from the Trezor newsletter? Would the customer data be deleted or kept on record for an extensive period of time, and for how long?