Trezor's Twitter (X) Account Hacked

[Pmalek]

Trezor's X account was hacked late in the evening of 19 March.
Whoever got access to it advertised the presale of a fake $TRZR token on the Solana blockchain. Users were asked to send SOL to an address posted in the tweet.

Trezor has regained access to their account and confirmed the hack. They also said that they used a strong password and had 2FA activated on Twitter. Some speculate it was a SIM swap attack.

According to ZachXBT, the hack wasn't successful compared to many others. The address received a little over $8,000 in SOL.

Crypto companies that are responsible in part for safeguarding user's sensitive information need to up their own game.

[1714235200]

1714235200

[1714235200]

1714235200

[1714235200]

1714235200

[Charles-Tim]

I have X to blame more about this. Hacking someone's X account is something common nowadays. We hear about new hack every week or less. Even United States SEC account was hacked. If X want to protect people's accounts and have better security, sim authentication should be removed while remain authentication app and security key which is hardware 2FA.

I also have Trezor to blame about this. They are hardware wallet company but failed not to use either the security key or the authentication app.

Trezor has regained access to their account and confirmed the hack. They also said that they used a strong password and had 2FA activated on Twitter. Some speculate it was a SIM swap attack.

They have just used now or they used strong password before? Also what kind of 2FA they used? If it is sim authentication, they are very stupid and foolish.

According to ZachXBT (https://twitter.com/zachxbt/status/1770237007366639681), the hack wasn't successful compared to many others. The address received a little over $8,000 in SOL.

It is because this type of scam is common and not new anymore.

I do not think Trezor also care about their customers at all. Not long when people that subscribed to their newsletter email accounts were compromised, now their X account.

[alastantiger]

Ever since Elon Musk took over ownership of X, no month goes by without a report of an account hack. Furthermore, X has become the home of every type of scam that one can imagine that can be perpetrated, Mostly crypto scams. These crypto scams are advertised and even embedded in every tweets that has a lot of engagements. Unfortunately, even after they are reported as scams, guess what, they are not removed. I have a theory that why this is so is because they are also a revenue stream for X.

These security lapses have ruined their reputation in so many quarters. If X users want to safely secure their accounts and avoid scams and hacks, they can do so through the use of authenticator apps and then do their own research. Whatever happened to that?

[Yamane_Keto]

X has not become a reliable source for receiving information, as the blue badge chaos and constant hacking have made the platform lose a lot of credibility. Why do these hackers create things that are easy to discover, meaning if they post something like Trezor recovery service, it will cause more damage than the SOL token.

[dkbit98]

I also have Trezor to blame about this. They are hardware wallet company but failed not to use either the security key or the authentication app.

Strange how this could happen when they had strong password and 2FA activated in twitter, this was confirmed.
Either this was some insider leak from trezor team, or twitter has some serious security flaws, and I would not be surprised if this was the case.
I don't trust clown Musk and his twitter with anything so I automatically not blindly trusting tweets from anyone.

[Meuserna]

Strange how this could happen when they had strong password and 2FA activated in twitter, this was confirmed.
Either this was some insider leak from trezor team, or twitter has some serious security flaws, and I would not be surprised if this was the case.
I don't trust clown Musk and his twitter with anything so I automatically not blindly trusting tweets from anyone.

Yes.

Twitter is no longer a reliable source of information.  Well, Twitter isn't even "Twitter" anymore.  Elon Musk doesn't know how to handle being rich.  He's drunk with power, and he's wrecked everything Twitter once was.  He did massive staff cutbacks, and I'd be shocked if he hasn't built in backdoors in order to "oversee" things.

We should expect to see many more security breeches on X.  Many more.

[Pmalek]

They have just used now or they used strong password before?

They claimed to already have used a strong password and 2FA prior to the hacking incident.

It is because this type of scam is common and not new anymore.

That and probably the fact that the tweets were quickly discovered and deleted after Trezor regained access to their account.

Trezor has released a report with more details of the hack. Here are the most important points:

- Trezor didn't use SMS for 2FA. They used a more secure method without naming what.
- It was a phishing attack that was in the works for several weeks.
- The hacker contacted Trezor's PR team pretending to want to arrange an interview with the CEO. After several rounds of communication, the hacker shared a Calendly invite, which turned out to be a malicious link.
- Trezor's team member connected the company's Twitter profile to the fake app, giving the attacker a permission to post and control of the account.
- Trezor revoked the malicious access when they became aware of what happened.

[Charles-Tim]

Strange how this could happen when they had strong password and 2FA activated in twitter, this was confirmed.
Either this was some insider leak from trezor team, or twitter has some serious security flaws, and I would not be surprised if this was the case.

With what Pmalek later posted, Trezor accepted the fault is from them (Trezor).

I don't trust clown Musk and his twitter with anything so I automatically not blindly trusting tweets from anyone.

I thought there have been several Twitter accounts hacked before Elon Musk bought Twitter. But just that the hackers are having more knowledge daily and the hack become common. I think aside setting the 2FA app or security key, we also need not to click on any link as Trezor did or they should do it on a separate device instead.

Trezor has released a report with more details of the hack. Here are the most important points:

- Trezor didn't use SMS for 2FA. They used a more secure method without naming what.
- It was a phishing attack that was in the works for several weeks.
- The hacker contacted Trezor's PR team pretending to want to arrange an interview with the CEO. After several rounds of communication, the hacker shared a Calendly invite, which turned out to be a malicious link.
- Trezor's team member connected the company's Twitter profile to the fake app, giving the attacker a permission to post and control of the account.
- Trezor revoked the malicious access when they became aware of what happened.

Which means the fault is still from Trezor.

[dkbit98]

Twitter is no longer a reliable source of information.  Well, Twitter isn't even "Twitter" anymore.  Elon Musk doesn't know how to handle being rich.  He's drunk with power, and he's wrecked everything Twitter once was.  He did massive staff cutbacks, and I'd be shocked if he hasn't built in backdoors in order to "oversee" things.

He is just a puppet and controlled opposition.
When you think about it a bit deeper, it's impossible for one human being to be involved in so many things like he is, and most of them are fake and/or stolen/purchased from others.

- Trezor's team member connected the company's Twitter profile to the fake app, giving the attacker a permission to post and control of the account.

Nobody is immune on phishing attacks, but I can't believe how many people didn't learn not to click random links without checking first.

People forgot when few years ago when accounts from Musk and other high profile people got hacked:
https://www.nytimes.com/2020/07/15/technology/twitter-hack-bill-gates-elon-musk.html

[Pmalek]

Which means the fault is still from Trezor.

Of course. It was a mistake by their PR team which could have easily been avoided had they not accepted or clicked on anything the hacker sent them.

Reading Trezor's report reminded me of the stuff I used to see from Ledger back in the day. They praise themselves, informing the readers about how serious they take security. They then inform us in a positive way how everything would have stayed safe if it wasn't for the mistake of that one unlucky team member. With Ledger, it was an ex-employee. With Trezor, it's a PR guy who didn't know better.

[m2017]

Strange how this could happen when they had strong password and 2FA activated in twitter, this was confirmed.
Either this was some insider leak from trezor team, or twitter has some serious security flaws, and I would not be surprised if this was the case.

At first glance, this is a trivial incident (compared to the screw-ups of a competitor Ledger), but if you think about it, it reveals the fact that Trezor is also not doing well with the qualifications of their employees (the human factor), who allowed this to happen. Also, other employees of this company, who are not responsible for social networks, but are already directly connected with trezor devices (both hardware and software part), also come into question, and the question arises, is it still safe (will it be) to store crypto on their devices?

I don't trust clown Musk and his twitter with anything so I automatically not blindly trusting tweets from anyone.

At a minimum, should check the information on alternative channels of the project when tweets appear (strange, why wasn’t this word replaced in the same way as the name of this social network? Xs? ) about the presale and to participate just need to send money to a specific address. In this case, what prevented from checking the accuracy of the presale on the official Trezor's website or in other social networks, because information of this kind is duplicated. Moreover, this (about the upcoming presale) would have been known in advance.

According to ZachXBT, the hack wasn't successful compared to many others. The address received a little over $8,000 in SOL.

This is not the first such trick from scammers, but they still find their client.

[BlackHatCoiner]

I don't know what to believe anymore. Was it a security mistake of Trezor or is Twitter a security nightmare now more? We hear accounts getting hacked frequently since Musk bought it. It has been compromised before that, with millions of users having their email addresses leaked, but now it happens more systematically, targeted on compromising influential accounts. It doesn't seem as if all these accounts simply chose to not use a 2FA.

[apogio]

Out of curiosity, don't you all think that X (Twitter) has a strong potential to become the no. 1 scamming / hacking / faking website?
I mean, I hear this kind of stories all day...
It must mean that they do something really bad there. I realise that people don't use strong passwords and I also realise that 2FA can be spoofed, but still, I don't get it.

[examplens]

Of course. It was a mistake by their PR team which could have easily been avoided had they not accepted or clicked on anything the hacker sent them.

Reading Trezor's report reminded me of the stuff I used to see from Ledger back in the day. They praise themselves, informing the readers about how serious they take security. They then inform us in a positive way how everything would have stayed safe if it wasn't for the mistake of that one unlucky team member. With Ledger, it was an ex-employee. With Trezor, it's a PR guy who didn't know better.

The person who was in charge of PR should think about changing jobs. What kind of interview is it when it was necessary to verify the application with a Twitter account?
Twitter has become unstable with some very questionable new rules, but companies that present themselves as serious should think about the way they select employers for important positions.

[BlackHatCoiner]

Out of curiosity, don't you all think that X (Twitter) has a strong potential to become the no. 1 scamming / hacking / faking website?

It already is. As long as advertisers are willing to pay X a decent amount, they will be approving their advertisement. I'd recently installed X, and the shitcoin shilling is massive. DeFi, meme tokens, yield promising platforms, fake URLs, etc., it's a scam-land. And I wished it was just advertisers; just put an adblock and problem solved. But, there are endless bots which shill the same and even worse stuff in the comments (even NSFW).

[apogio]

Out of curiosity, don't you all think that X (Twitter) has a strong potential to become the no. 1 scamming / hacking / faking website?

It already is. As long as advertisers are willing to pay X a decent amount, they will be approving their advertisement. I'd recently installed X, and the shitcoin shilling is massive. DeFi, meme tokens, yield promising platforms, fake URLs, etc., it's a scam-land. And I wished it was just advertisers; just put an adblock and problem solved. But, there are endless bots which shill the same and even worse stuff in the comments (even NSFW).

Good luck man. In my short X life, which lasted approximately 2 days, I was surprised by how much lack of basic knowledge existed there.
And I mean from "bitcoiners" too. Some laser-eyed morons who were used to repeating everything they were told.
To be clear, I don't have any issues with the laser-eyed avatars, I kinda like it too, but I hate it when people pretend they know something, instead of reading or listening in order to get a more solid grasp of how bitcoin works.
I have been studying about Bitcoin for 2 years now, and I am surprised that I still have so much left to learn.
It's a pity that on X there is so much misleading, scamming and fake news, even from the bitcoiners' side.
I hope that people like you will eventually convey the correct message on X and that you will be able to educate as many people as you can.

[BlackHatCoiner]

Good luck man. In my short X life, which lasted approximately 2 days, I was surprised by how much lack of basic knowledge existed there.

Eh, I don't say I like it. I just prefer it over Instagram and Facebook. I know that I have to cut social media off my life entirely, but it's difficult. Sometimes after work I just want to relax for a few minutes scrolling on Twitter or YouTube shorts, it ain't that bad, even though I don't hide from you that I feel bad when 20-30 minutes are passed like really fast and I'm just staring at my phone.

To be clear, I don't have any issues with the laser-eyed avatars, I kinda like it too, but I hate it when people pretend they know something, instead of reading or listening in order to get a more solid grasp of how bitcoin works.

I don't like (but nor hate) the laser-eyes thing either, but wasn't that a thing of the past? I don't remember the last time that I saw a laser eye, to be honest. Maybe Michael Saylor still has that?

I hope that people like you will eventually convey the correct message on X and that you will be able to educate as many people as you can.

You flatter me, but I'm no expert! Just a hobbyist, like everyone else. 

[apogio]

Eh, I don't say I like it. I just prefer it over Instagram and Facebook. I know that I have to cut social media off my life entirely, but it's difficult. Sometimes after work I just want to relax for a few minutes scrolling on Twitter or YouTube shorts, it ain't that bad, even though I don't hide from you that I feel bad when 20-30 minutes are passed like really fast and I'm just staring at my phone.

I have made this step 2 years ago. No more social media for me. I love it now, but it was difficult back then. These apps are designed to be addictive.

I don't like (but nor hate) the laser-eyes thing either, but wasn't that a thing of the past? I don't remember the last time that I saw a laser eye, to be honest. Maybe Michael Saylor still has that?

Perhaps yes. I have quit Twitter since 2022, so I can't say for sure. Saylor had laser eyes yes. Also Jack Mallers. Some other guys from Bitcoin Magazine too. But as I said, perhaps they have removed the laser beams now  

You flatter me, but I'm no expert! Just a hobbyist, like everyone else. 

I never said you are an expert, although I think you know a lot about Bitcoin. All I am saying is that you have put effort in order to acquire some knowledge, but the majority of people on twitter haven't put effort at all. They are used to repeating phrases that they find cool.

[BlackHatCoiner]

I have made this step 2 years ago. No more social media for me. I love it now, but it was difficult back then. These apps are designed to be addictive.

Yep. Especially if your communication depends on them, more or less...

All I am saying is that you have put effort in order to acquire some knowledge, but the majority of people on twitter haven't put effort at all.

There are some good accounts to follow, like lopp, aantonop, SamouraiWallet etc. But, I don't follow lots of Bitcoin accounts for the reasons you outlined. Especially random accounts that are into Bitcoin solely for the fiat gains. (I do get them on recommendations though, because... Twitter)

[Pmalek]

At first glance, this is a trivial incident (compared to the screw-ups of a competitor Ledger), but if you think about it, it reveals the fact that Trezor is also not doing well with the qualifications of their employees (the human factor), who allowed this to happen.

Fortunately, it wasn't that serious. But it doesn't mean it couldn't have been or that the hackers wouldn't have succeeded in retrieving more valuable data from Trezor employees if they tried it. The database of those who purchased their hardware wallets, for example. We also know that Trezor, just like Ledger, outsource some work to 3rd-party companies. So, Trezor and its team are only one attack model. The other one is all the services that partner with them, handling customer support, email services, and who knows what else.

There are some good accounts to follow, like lopp, aantonop, SamouraiWallet etc.

Andreas doesn't operate his Twitter account. Someone from his team does. Andreas shares his content over his website, YouTube, and Patreon.