Trezor mailing list breached

[dkbit98]

It is not a question of if your personal information will be leaked by any company you deal with, it is a question of when.

This is probably true and there is no real protection against that, except by using alternative and fake personal information, temporary emails and secondary phone numbers.
I remember one day I received multiple phone calls on my alt phone number, calls came in exact same time with small time difference, they came from different countries around the world.
Later I tried to call one of those numbers (with my hidden ID) and I received voice info that number is not in function and it can't receive any calls.
Something like this can make a person little paranoid, but it's better to be slightly paranoid than to get scammed or blackmailed.

Trezor says that all customer data is purged after 90 days, but you received the phishing email 2 years after your purchase. That means that MailChimp keeps user data for much longer to be able to send new versions of the newsletters (which is logical).

I never used my normal email for any Trezor purchase, but I received one phishing email on my dedicated Trezor temp-email I used only for purpose of reading their newsletter.
One thing I am sure is that I used that email for trezor newsletter more than 90 days, so it seems that deleting function is not working for malichimp or they are lying

[1714934049]

1714934049

[1714934049]

1714934049

[1714934049]

1714934049

[Pmalek]

I never used my normal email for any Trezor purchase, but I received one phishing email on my dedicated Trezor temp-email I used only for purpose of reading their newsletter.
One thing I am sure is that I used that email for trezor newsletter more than 90 days, so it seems that deleting function is not working for malichimp or they are lying

Maybe Trezor isn't lying, and they are deleting customer data after 90 days. We still don't know. What is certain is that those users who have subscribed to Trezor's newsletter have had their email addresses shared with MailChimp. Trezor has no control over what that other parry is doing, and as you can see from your own example, data older than 90 days is obviously not deleted from MailChimp servers. 

[PrimeNumber7]

I received an email from someone claiming to be trezor informing me that my email was part of the breach.

Did you subscribe to Trezor's newsletter?

Trezor says that all customer data is purged after 90 days, but you received the phishing email 2 years after your purchase. That means that MailChimp keeps user data for much longer to be able to send new versions of the newsletters (which is logical). I wonder what measures they take once a person unsubscribes from the Trezor newsletter? Would the customer data be deleted or kept on record for an extensive period of time, and for how long?   

I searched my email, and I was able to find some emails from trezor that at the bottom say that I am receiving the message because I opted into the newsletter for trezor product updates. When I first started writing this post, I started to say that I did not subscribe, however it appears that in fact, I did.

I suspect more people subscribed to this newsletter than they realize. I tried clicking on the link to manage my subscription preferences and got an error message, so I am not sure what other newsletter types trezor has. I am sure that MailChimp has their own retention policy, and is likely to follow that policy.

It is not a question of if your personal information will be leaked by any company you deal with, it is a question of when.

This is probably true and there is no real protection against that, except by using alternative and fake personal information, temporary emails and secondary phone numbers.

It is expensive to use additional phone numbers for each service, but I agree with using additional email addresses. Apple's iCloud service allows users to automatically provide a "masked" email address to companies so they will not have my actual email address. Emails sent to that masked email will be delivered to my iCloud email inbox, but I can easily disable any of the masked email addresses.

I remember one day I received multiple phone calls on my alt phone number, calls came in exact same time with small time difference, they came from different countries around the world.
Later I tried to call one of those numbers (with my hidden ID) and I received voice info that number is not in function and it can't receive any calls.
Something like this can make a person little paranoid, but it's better to be slightly paranoid than to get scammed or blackmailed.

There are a lot of scammers that will spoof phone numbers when sending mass calls. For years, I have received spam/scam phone calls from numbers with the same area code and same first three digits of the phone number as mine, probably as an effort to get me to pick up. On occasion I try calling these numbers back, and most frequently, the number cannot receive calls.

[dkbit98]

Today I heard news for one more Mailchimp exploit related with Bitmex exchange, so it's not only Trezor wallet newsletter that is affected.
This is just confirmation of my suspicions that more exchanges are using Mailchimp and similar services.
Bitmex claims that no sensitive information was leaked, but people should expect to receive phishing email soon, so better get ready.

What should you do if your email was leaked?
- Change email address.
- Use unique strong passwords for your accounts.
- Use Two-Factor Authentication.
- Use Password manager like Keypass.

Email Bitmex customers are receiving on their emails:

Code:

We are contacting you because one of our email marketing vendors, Mailchimp, has informed us of a security breach they experienced that may have resulted in the exposure of your email address and name to a malicious actor.

No sensitive BitMEX data (such as passwords, account balances / addresses, trading history, etc.) was compromised because this issue affected the third-party vendor only.

BitMEX uses multiple vendors including Mailchimp to manage email mailing lists and newsletter sends.

We take this security breach at Mailchimp extremely seriously and as such have stopped using Mailchimp services.

However, going forward we strongly recommend that you continue to be vigilant for email phishing scams that might follow from the malicious actor, which according to Mailchimp targeted some of its crypto and finance clients.

Below, we have also outlined further actions you can take out of an abundance of caution to further safeguard your online accounts.

More Details from Mailchimp

Mailchimp recently advised us that they became aware of a malicious actor accessing one of their internal tools used by customer-facing teams for customer support and account administration. The actor gained access to this tool as a result of a successful social engineering attack on Mailchimp employees.

Mailchimp confirmed they swiftly addressed the situation by terminating access for the compromised employee accounts and taking steps to prevent additional employees from being affected.

Since taking these actions, Mailchimp advises they have seen no further malicious activity. They also advise us that they have undertaken a comprehensive security review of all their systems. We are as of yet unaware of any attempts by the malicious actor to send phishing messages to the email addresses that may have been exposed.

What Actions Can You Take?

In line with security best practices, we strongly recommend that all users protect their BitMEX and personal accounts by using strong and unique passwords, enabling Two-Factor Authentication, and using a password manager.

As a reminder, BitMEX Support will never ask you for your account password. If you observe unusual activity on your account, or if you receive an email that you believe may be fraudulent or phishing, please contact Support and we will be glad to assist you.

We constantly review our vendor relationships on the basis of many factors such as terms of services, service level agreement, and security.

As always, if you have any queries please contact support@bitmex.com.

Regards,
The BitMEX Team.

 

[Pmalek]

<Snip>

That's only the second crypto-related business that has confirmed that user data from their customers has been hacked. I think that it was initially reported by MailChimp that their investigation has discovered that data from over 100 different crypto companies has been illegally obtained by that fraudster/insider. Whoever has gotten access to the database isn't in a hurry and is taking his/her time to decide how to proceed.

[dkbit98]

I just received new email from Trezor claiming this will be the last one coming via mailchimp.
According to this email, information stolen from this attack was email address and IP address used for newsletter signing up.
Anything received in future should be considered as phishing attack or attempts to scam you, so I would suggest blocking everything coming from this email or start using alternative address.

Trezor also released more details on their blog page with more information and answering on some questions asked by their customers:
https://blog.trezor.io/details-of-the-mailchimp-data-breach-a06872caa1fd

Full content of received email:

Code:

Details of the Mailchimp data breach

This email contains details of a data breach which compromised our mailing provider between February and April 2, 2022.

The attack saw Mailchimp employees being phished for privileged access to customer accounts, resulting in the theft of email addresses and in some cases names of subscribers and other data.

Below you will find specific data belonging to you which was stolen in the attack.
Data stolen in the attack

- Your email
- Your IP address

Please use this information to protect yourself and be wary of any incoming mail, as the targeted data is being used to send phishing emails to your inbox. Avoid clicking on any links in emails, and never ever enter your seed into a computer without your Trezor device telling you to do so.

This is the latest information we have, following a week of investigation and reluctant cooperation from Mailchimp's senior security staff. You will find a timeline of events on Trezor blog, but we will not be providing any links here so this message does not get confused for a phishing attempt.

You will not receive any more emails from Trezor via Mailchimp. Given the broad scope of the attack, it is important that you remain on alert for phishing attacks coming from other sources, as hundreds of other brands and projects which have not yet been disclosed were also targeted.

For inquiries, please contact our security team at security@satoshilabs.com.

[Pmalek]

Below you will find specific data belonging to you which was stolen in the attack.
Data stolen in the attack

- Your email
- Your IP address

This is the data that was stolen from you specifically. Different people probably received different notifications about the data that was stolen from them. The email mentions that in some cases even names were leaked and other data. This "other data" is the worrying part. That could also mean addresses or phone numbers.

Trezor stated they won't be using MailChimp any longer. However, not much will change. Read this:

We will begin migrating to a new mailing platform once we have thoroughly assessed other options for compliance and data security.

https://blog.trezor.io/details-of-the-mailchimp-data-breach-a06872caa1fd

[PrimeNumber7]

Today I heard news for one more Mailchimp exploit related with Bitmex exchange, so it's not only Trezor wallet newsletter that is affected.
This is just confirmation of my suspicions that more exchanges are using Mailchimp and similar services.
Bitmex claims that no sensitive information was leaked, but people should expect to receive phishing email soon, so better get ready.

Appearently Mailchimp has a decent number of crypto-related companies as their customers.

Mailchimp is likely to only have a list of email addresses, and at most your name (although this could be limited to your first or last name and gender). Obviously, the fact that you are likely a customer of a particular company was also leaked, which allows the hacker to send phishing emails.

[SFR10]

This "other data" is the worrying part. That could also mean addresses or phone numbers.

Exactly and I just found out because of the shipping companies that they're using, they "can't deliver to P.O. boxes"!

Trezor stated they won't be using MailChimp any longer. However, not much will change. Read this:

We will begin migrating to a new mailing platform once we have thoroughly assessed other options for compliance and data security.

As a Trezor user, I'm quite disappointed by the fact that they're still trying to do the same thing ^[SMH]... Am I the only one who thinks they're quickly becoming Ledger 2.0?

[Lucius]

As a Trezor user, I'm quite disappointed by the fact that they're still trying to do the same thing ^[SMH]... Am I the only one who thinks they're quickly becoming Ledger 2.0?

You are not the only one who thinks so, because it is completely incomprehensible to me that companies that produce devices that should store extremely sensitive information behave in this way. We can say that Ledger was negligent and that someone played them as a group of amateurs, but the question arises why the Trezor did not make sure that this did not happen to them?

Not only has a similar (or the same thing) happened to them, but like Ledger, they can't say exactly what the hacked data is - and I'm sure they'll try to downplay the whole scandal the same way Ledger tried. If someone is identified as a customer of hardware wallets, with their full name, address, phone number and email address then it is a serious threat to someone's security.

[Pmalek]

Am I the only one who thinks they're quickly becoming Ledger 2.0?

Ledger took it one step further because they got hacked twice. They weren't at fault that Shopify got hacked. Well, their mistake was using Shopify, but not the hack itself. The second breach was the hack of one of their servers. They should be blamed for the second one.

Someone posted a tweet not that long ago coming from Passport representatives in which they said that they are hosting the customer data on their own servers. They aren't using a service company like MailChimp. Probably dkbit98 since he is the thread started of the thread about Passport HW. Either way, it's a game of bingo. A game of who will get hacked next, not will it happen.

...and I'm sure they'll try to downplay the whole scandal the same way Ledger tried.

Trezor's reddit page is relatively calm and we don't see the same shitstorm that the leak of Ledger's database caused. At least that's good.

[JL0]

Am I the only one who thinks they're quickly becoming Ledger 2.0?

Ledger took it one step further because they got hacked twice. They weren't at fault that Shopify got hacked. Well, their mistake was using Shopify, but not the hack itself. The second breach was the hack of one of their servers. They should be blamed for the second one.

Someone posted a tweet not that long ago coming from Passport representatives in which they said that they are hosting the customer data on their own servers. They aren't using a service company like MailChimp. Probably dkbit98 since he is the thread started of the thread about Passport HW. Either way, it's a game of bingo. A game of who will get hacked next, not will it happen.

...and I'm sure they'll try to downplay the whole scandal the same way Ledger tried.

Trezor's reddit page is relatively calm and we don't see the same shitstorm that the leak of Ledger's database caused. At least that's good.

They still use a provider. Read the comments from @god_of_bitcoin's here: https://twitter.com/FOUNDATIONdvcs/status/1506353091305684995

We self host our marketing software, which stores our email list and composes+automates emails.

We do use an SMTP service, which is pretty much impossible to avoid, but the provider purges each email from the log after 5 days.

You can read it here:
https://twitter.com/FOUNDATIONdvcs/status/1506353091305684995
https://twitter.com/zachherbert/status/1508507819489824770

[Lucius]

Trezor's reddit page is relatively calm and we don't see the same shitstorm that the leak of Ledger's database caused. At least that's good.

For now, it seems that this data leak cannot be compared to what came out of Ledger, but perhaps the reason is that the hacker still keeps the hacked data to himself, and will later try to sell it until it is finally publicly available. In the event that only e-mails are found to be hacked, the whole thing will most likely be quickly swept under the rug - especially if we know that hundreds of thousands of Ledger customers ended up much worse, and today almost no one mentions that it happened (although I read that there are some lawsuits).

[dkbit98]

Exactly and I just found out because of the shipping companies that they're using, they "can't deliver to P.O. boxes"!

That is some crappy excuses, and I don't see what's wrong with PO Boxes being used for anything, unless you are trying to spy on people.
One alternative you can use it to rent some cheap house that you use only for delivery of packages, and combine that with separate alternative phone number.

As a Trezor user, I'm quite disappointed by the fact that they're still trying to do the same thing ^[SMH]... Am I the only one who thinks they're quickly becoming Ledger 2.0?

It's impossible to become new ledger, because ledger is always making worse decision and it can't be compared with millions of leaked data from their hack(s).
I am not going to defend trezor in any way, and they seriously need to change the way people are ordering wallets, but I think this could be applied to all hardware wallets.
It's much better to buy them locally with cash, without leaving any digital evidence, or just make your own DIY from Raspberry Pi or M5Stick (SeedSigner or Krux).