Cryptocurrency wallet maker MetaMask warned its 21 million monthly users to be cautious of Apple iCloud backing up their app’s data by default after attackers successfully stole $650,000 worth of funds and NFTs.
MetaMask user Domenic Iacovone revealed last week in a series of posts on Twitter that he fell victim to a social engineering attack that gave scammers access to his iCloud account.
According to Iacovone, the issues started on April 15 when he received multiple messages asking him to reset his Apple ID password, followed by a phone call from “Apple Inc.”
The scammer, who spoofed caller ID to disguise themselves as Apple, told Iacovone that there had been suspicious activity on his Apple iCloud account. Iacovone was told by the scammer that all he had to do was confirm that he was the user of the account by sharing a one-time verification code that his phone was about to receive in order to resolve the issue.
Iacovone then gave the six-digit code to the scammer, as a result. Afterward, the scammer emptied out $650,000 worth of funds and NFTs from Iacovone’s MetaMask cryptocurrency wallet.
As a cybersecurity expert going by the alias Serpent explained on Twitter last week, data from MetaMask is automatically backed up to Apple iCloud by default. This data includes the secret 12-word recovery phrase.
MetaMask’s FAQ tells users never to give their secret recovery phrase or private keys to anyone, as they could take complete control of their funds.
In the wake of the attack against Iacovone, MetaMask advised users on Sunday to change their iPhone settings if they wish to disable iCloud backups for MetaMask.