MetaMask warns Apple users of risk to funds from iCloud backups

The MetaMask team warned non-custodial wallet users about the risks of storing data in Apple iCloud due to possible phishing attacks.

🔒 If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on 👇) 1/3

— MetaMask 🦊💙 (@MetaMask) April 17, 2022

«If you have enabled app data backup to iCloud, it includes the password-protected MetaMask vault. If it isn’t secure enough, and someone phishes your iCloud credentials, this can lead to asset theft,» the statement said.

The wallet developers advised disabling iCloud backup for MetaMask in device settings.

If you want to avoid iCloud surprising you with unrequested backups in the future, you can turn off this feature at:
Settings > Apple ID/iCloud > iCloud > iCloud Backup
3/3

— MetaMask 🦊💙 (@MetaMask) April 17, 2022

The MetaMask statement followed an incident involving one of the NFT collectors. On April 15, he said on Twitter that he had lost an NFT worth $650,000.

This is how it happened, Got a phone call from apple, literally from apple (on my caller Id) Called it back because I suspected fraud and it was an apple number. So I believed them
They asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wiped

— Domenic Iacovone (@revive_dom) April 14, 2022

«Вот как это произошло: мне позвонили из Apple, буквально из Apple (по входящему ID). [Я] перезвонил, потому что заподозрил мошенничество, и это был номер Apple. Так что я им поверил. Они запросили код, отправленный на мой телефон, и через две секунды весь мой MetaMask был опустошен», — написал пользователь.

Позднее основатель проекта DAPE NFT под ником Serpent объяснил, что неизвестные смогли осуществить кражу из-за хранящейся в iCloud seed-фразы MetaMask.

3/ MetaMask actually saves your seed phrase file on your iCloud. The scammers requested a password reset for the victim’s Apple ID. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim’s MetaMask.

— Serpent (@Serpent) April 17, 2022

«Crooks asked for the victim’s Apple ID password reset. With the 2FA code, they gained control of the Apple ID and access to iCloud, which opened the way to the victim’s MetaMask,» the author of the thread explained.

He advised using a cold wallet for storage, not sharing verification codes, and reminded that information about the incoming number can be easily forged.

«Companies like Apple will never call you,» emphasized Serpent.

In March, the number of monthly active users of the non-custodial crypto wallet exceeded 30 million.

In the same month, the developers added to the new version of MetaMask support for Apple Pay and gasless transactions.

Subscribe to ForkLog news on Telegram: ForkLog Feed — the full feed of news, ForkLog — the most important news, infographics and opinions.