Trezor's 3rd-Party Support Portal was Hacked

[Pmalek]

Trezor has just informed the public that there was a security incident on 17 January 2024 that affected their third-party support ticketing portal. Someone gained access to the platform and certain sensitive data.

Here is what is known so far:

- The hack DID NOT compromise the hardware wallets or seeds of users in any way.
- Trezor was not hacked. A third-party service they use was compromised.
- The hack affected users who may have been in contact with Trezor customer support since December 2021.
- It's believed that up to 66,000 users may have been affected.
- The leaked data involves email addresses and names/usernames used.
- The hacker already contacted 41 users and requested they email him their seeds to "check the firmware version on their device."

Trezor has already started contacting the 66,000 users they believe may have been affected. If you are among those, expect an email from noreply@trezor.io today or tomorrow.

Here is an example of the phishing email that customers received from the hacker:


What now?
Nothing changes. Never enter your seed or send it to anyone, no matter who asks. Think before you do anything that might compromise you and your funds.


You can read a detailed report on the security incident on the Trezor blog:
https://blog.trezor.io/trezor-security-update-stay-vigilant-against-potential-phishing-attack-bb05015a21f8

[1714322000]

1714322000

[1714322000]

1714322000

[1714322000]

1714322000

[1714322000]

1714322000

[1714322000]

1714322000

[Churchillvv]

What now?
Nothing changes. Never enter your seed or send it to anyone, no matter who asks. Think before you do anything that might compromise you and your funds.

If someone has move from software wallet to a hardware like trezor I believe he/she most have know the pros and cons or does and don't of wallets. So from my perspective I don't want to believe that someone would fall for this simple trick of sending your passphrase to anyone. Even before you could finish setting up your trezor wallets passphrase there is a caution that says "do not give out your passphrase to anyone it's your private property." That should be enough warning except for the fact that it was targeted on users who might have been offline.

[Pmalek]

If someone has move from software wallet to a hardware like trezor I believe he/she most have know the pros and cons or does and don't of wallets. So from my perspective I don't want to believe that someone would fall for this simple trick of sending your passphrase to anyone.

It sometimes amazes me what kind of cheap tricks people fall for. It's things like giving scammers their seeds and private keys by entering them in a phishing site that is on top of the list. It still works, and scammers still make money that way. In other cases, it's carelessness or tiredness that causes people to commit mistakes and not notice what they are doing.

Even before you could finish setting up your trezor wallets passphrase there is a caution that says "do not give out your passphrase to anyone it's your private property." That should be enough warning except for the fact that it was targeted on users who might have been offline.

Don't mistake the recovery phrase/seed for the passphrase. Those are two completely different things. Trezor surely cautions you not to give out the recovery phrase. The passphrase is an advanced and optional security feature that you can set up if you want, but it's not a requirement to do so. Due to Trezor's unfixable seed extraction vulnerability, it's recommended to have one or multiple passphrases set up.   

[Learn Bitcoin]

I have just checked the post by Trezor and came to this board to see if this was posted or not. It's surprising how these crypto hacks continue. Even though it wasn't the Trezor but the 3rd party support center they use, still it's alarming. Trezor claims that no one was affected but approximately 66000 users' email and nicknames were leaked. This means the hacker has a list of 66000 Trezor users and he will surely try to use those emails to do something.

Even though they have regained access to their support center, the hacker still has a chance to use email spoofing and send emails to those Trezor users and try various hacking attempts like sending malware and asking them to download, or asking them to use new web portal which could be phishing and numerous more methods they may try. There are still a few percentage of people who might believe those emails and try those things.

[Husires]

I am surprised that despite the hacker's efforts to access the basic system and some sensitive data, including the email address, he exploits it in a trick to send seeds. hacker was able to develop a fake Trezor Suite App and ask users to download it, connect their wallets, and then steal it easily.
Why does Trezor retain customer data from December 2021, and what is their need for this data, since the user does not interact with the company directly after purchasing the devices?

[BlackHatCoiner]

Pretty much what Learn Bitcoin said. The problem isn't the phishing attack per se; I mean, it really sucks if someone fell for that, but they can't have missed the many warnings. (If I recall correctly, once the seed is generated, it displays a "Never share it with anyone" message)

The problem is, for once more, the data the hacker possesses right now. That email and name list will sooner or later be sold at Breached or some other corner of the darknet, and there will be victims.

[Pmalek]

Trezor claims that no one was affected but approximately 66000 users' email and nicknames were leaked. This means the hacker has a list of 66000 Trezor users and he will surely try to use those emails to do something.

The hacker doesn't necessarily have the information of 66,000 Trezor users. They have information on (according to reports) a maximum of 66.000 users that contacted Trezor support from December 2021. Many of them are surely owners of their hardware wallets, other's could be interested parties, like you and me, who sent an email and asked for information or clarification on some points.

Trezor stated that they still don't have information if there were any victims, but they know of 41 phishing emails that were sent out. That was the information that was available when I created this thread.

hacker was able to develop a fake Trezor Suite App and ask users to download it, connect their wallets, and then steal it easily.

They didn't develop a fake app. This is a phishing scheme. A social engineering attempt to get you to email them the seed.

Why does Trezor retain customer data from December 2021, and what is their need for this data, since the user does not interact with the company directly after purchasing the devices?

It's not Trezor's data. It belongs to the 3rd-party service they use for the customer support portal. Their TOS and Privacy Policy will shed more light on how long they retain customer information.

[Learn Bitcoin]

Pretty much what Learn Bitcoin said. The problem isn't the phishing attack per se; I mean, it really sucks if someone fell for that, but they can't have missed the many warnings. (If I recall correctly, once the seed is generated, it displays a "Never share it with anyone" message)

Unfortunately, only a few percentage of these users are on the crypto forum or follow the blog websites. Most people come online just to heck their social media. No matter how many times we write these warnings, still there will be users who haven't seen our discussion and the warnings posted on the internet. You and I know what we should avoid, but we cannot expect everyone to be veteran crypto users. A lof us still get confused when we receive phishing emails.

The problem is, for once more, the data the hacker possesses right now. That email and name list will sooner or later be sold at Breached or some other corner of the darknet, and there will be victims.

This is unfortunate. But, once a thing is compromised, we can't do anything except what we doing now. Spread the news as much as possible and share it with the hardware wallet users.

The hacker doesn't necessarily have the information of 66,000 Trezor users. They have information on (according to reports) a maximum of 66.000 users that contacted Trezor support from December 2021. Many of them are surely owners of their hardware wallets, other's could be interested parties, like you and me, who sent an email and asked for information or clarification on some points.

I understand that. Maybe the hacker didn't backup the list of users and emails. Or maybe he wasn't able to collect all the information. Or maybe he has 50K emails and usernames. We never know, right? So, let's assume all the data available on their support center was leaked.

[m2017]

- The hack affected users who may have been in contact with Trezor customer support since December 2021.
- It's believed that up to 66,000 users may have been affected.
- The leaked data involves email addresses and names/usernames used.

Here's that same bullshit again. Why store personal data (email addresses and names/usernames) for years? In anticipation that one day they will be kidnapped like this time? Trezor went through this stage and reduced the storage period for customer information to 3 months. In order for their partners to understand this and introduce adjustments to their behavior policies, did they necessarily need to screw up themselves? Now users ("up to 66,000 users") will have to carefully scrutinize every email so as not to run into phishing attacks due to their ("trezor's third-party support ticketing portal") stupidity.

- The hacker already contacted 41 users and requested they email him their seeds to "check the firmware version on their device."

Some weird hacker. Does he write each letter manually and send it manually? Could this not be automated?

What now?
Nothing changes. Never enter your seed or send it to anyone, no matter who asks. Think before you do anything that might compromise you and your funds.

That's right, nothing changes. When providing any information about yourself, even to trusted service providers, be prepared that they will leak your data. Necessarily. It's only a matter of time. And a reasonable question arises: are they not abusing the requirements to provide information from buyers every time?

Ways to protect yourself from the consequences of this:
- Use a new email address each time only for a specific service provider, don't provide any of your personal data, as far as possible. And of course, don’t fall for phishing.

[SFR10]

- The leaked data involves email addresses and names/usernames used.

One of their Reddit mods ^[@kaacaSL] mentioned "maximally 8 phone numbers could have been compromised" as well ^{[unfortunately]}.

Here is an example of the phishing email that customers received from the hacker:
https://www.talkimg.com/images/2024/01/20/kawNg.jpeg

And "here's" a different attempt by the hacker.
^{- The previous version probably wasn't that successful.}

[Pmalek]

Here's that same bullshit again. Why store personal data (email addresses and names/usernames) for years?

There are probably laws and regulations requiring businesses to store client information for some time. I have no expertise in these areas to be able to answer that question probably. But each country has their own laws. Each regulator its own regulations and restrictions.  

Some weird hacker. Does he write each letter manually and send it manually? Could this not be automated?

Maybe he did. What makes you think he writes a unique email for each potential victim? Is it the huge difference between the allegedly affected individuals (66,000) and the 41 emails that Trezor mentioned they know were sent?

One of their Reddit mods ^[@kaacaSL] mentioned "maximally 8 phone numbers could have been compromised" as well ^{[unfortunately]}.

So the numbers are increasing slowly. Hopefully, it doesn't turn into a huge affair, much bigger than what was originally thought.

[dkbit98]

I never received any phishing emails from fake trezor yet, but I learned my lesson with ledger.
Always use new email address or alias for each service, and always try to purchase something locally with cash and without writing any personal info, or use anonymous lockers for delivery.
I don't see any good reason to contact trezor support, unless there was a lost package, device stopped working or something similar.

This is one of the reasons why DIY devices like Krux and Seedsigner are getting more and more popularity, but you can get phishing attacks with anything.
I know a guy who recently received phishing viber message telling him that his ''package'' arrived and he needs to contact (fake) post office to pick it up. 

[tread93]

Why does Trezor retain customer data from December 2021, and what is their need for this data, since the user does not interact with the company directly after purchasing the devices?

It's not Trezor's data. It belongs to the 3rd-party service they use for the customer support portal. Their TOS and Privacy Policy will shed more light on how long they retain customer information.
[/quote]

To my knowledge Trezor only holds onto customer ordering info for up to 30 or 90 days I can't remember which. I am curious to see what happens to their reputation if anything as a result of this hack. It appears that it was largely outside of their control seeing as one of their third party vendors was hacked and they were not directly hacked.

[hugeblack]

Protonmail provides privacy features such as creating alias, verifying the link before receiving, and better filters for messages, so purchasing the paid service and using alias for each service will provide you with a good solution.

To my knowledge Trezor only holds onto customer ordering info for up to 30 or 90 days I can't remember which. I am curious to see what happens to their reputation if anything as a result of this hack. It appears that it was largely outside of their control seeing as one of their third party vendors was hacked and they were not directly hacked.

It is useless when your data may be shared with third parties. These third parties may have a different privacy policy and may keep your data for years, and there is no provision that requires Trezor to contact the third parties to delete your data within 90 days.

[SFR10]

I don't see any good reason to contact trezor support, unless there was a lost package, device stopped working or something similar.

Apart from lost packages, I'd go with creating a thread on their forum instead.

To my knowledge Trezor only holds onto customer ordering info for up to 30 or 90 days I can't remember which.

It's 90 days but they "only anonymize it", as opposed to deleting it ^{[I got mixed feelings about it]}!
^{- It's worth noting that the issue we're facing at the moment is about their customer support data (the above data that you were referring to wasn't affected).}

[Pmalek]

I never received any phishing emails from fake trezor yet, but I learned my lesson with ledger.

If what Trezor said was true, you shouldn't get any unless you contacted customer support starting from December 2021 and up until a few days ago.

I don't see any good reason to contact trezor support, unless there was a lost package, device stopped working or something similar.

Those are the usual topics of discussion. However, I am sure there are people who have a question or two they want to clear with the support before ordering their product. I honestly can't remember the reason I spoke with them. But one of my emails is apparently on the list. I guess it's a good time to check my Will Hardware Wallet Manufacturers Leak Customer’s Email Data topic and see if there is something there that shouldn't be.

[Yanakitu Tenatako]

Hi,

I just got very suspicious mail from trezor.io





it says:

Dear customer.

This email is to let you know your wallet assets are undergoing a upgrade.

In an effort to upgrade our infrastructure we are temporarily disabling the following networks:

BTC, ETH, XRP, ERC20, BEP20, TRON, TRC20
We are requiring action from our users to re-enable the networks.

Important: Failure to upgrade your networks could result to full funds loss

[dkbit98]

Protonmail provides privacy features such as creating alias, verifying the link before receiving, and better filters for messages, so purchasing the paid service and using alias for each service will provide you with a good solution.

Proton charges for using their alias feature, but I found one great alternative that can be used for free with some limitation, and you can pay to have more of them.
Anyone interested can contact me if they want ref link, but you don't have to buy anything

Apart from lost packages, I'd go with creating a thread on their forum instead.

Or ask them directly in twitter, reddit and other places where they are active in providing some type of support.

If what Trezor said was true, you shouldn't get any unless you contacted customer support starting from December 2021 and up until a few days ago.

I never contacted customer support for any hardware wallet, and I am considering any email message I received as potential phishing attack.

I just got very suspicious mail from trezor.io

This is 100% a scam.
Report as spam and ignore.
Other scammers unrelated with this hack will try to use this situation and send emails to everyone.

[Learn Bitcoin]

Even though they have regained access to their support center, the hacker still has a chance to use email spoofing and send emails to those Trezor users and try various hacking attempts like sending malware and asking them to download, or asking them to use new web portal which could be phishing and numerous more methods they may try. There are still a few percentage of people who might believe those emails and try those things.

This is exactly what has started to happen now. Check this thread for more information    
[Warning] Trezor users are receiving fake emails with phishing links.. We knew from the beginning that if a hacker had the list of the users, he would make various scam attempts including sending emails and asking them to do various things. In this case, the hacker sends users an email to upgrade their network, otherwise, the users will lose their funds. LOL. What a lame excuse! I wish no one falls for this scam attempt. But as I said, we will never know if some average Joe who has a Trezor wallet may fall for this scam. I hope everyone stays safe and does not fall for it.

[dkbit98]

This is what is popping up now when you open Trezor Suite app, they are warning users about unsolicited emails asking for customer sensitive information.

With this pop up trezor is sending link to recent blog article with detailed explanations, and if you ever signed up for Trezor newsletter you can expect to receive one of this emails.
And there is a lame apologize from Trezor in the end 

We apologize for any concern this may have caused you.

https://blog.trezor.io/trezor-security-alert-stay-vigilant-against-an-unauthorized-email-and-continued-phishing-attacks-1b4982c2f53c