Trezor security alert: Stay vigilant against a potential phishing attack

Summary

We are investigating a security incident that occurred on January 17th, 2024, where there was unauthorized access to the third-party support ticketing portal we use.

We want to reassure our users that their digital assets have not been compromised in any way through this incident.

The security incident we’ve identified has implications for customers who have interacted with Trezor Support since December 2021. While this represents a small part of our entire user base, up to 66,000 contacts were present in the system during that time. We are making every effort to work with the third-party service provider to comprehensively investigate the incident. However, our internal audit of the incident suggests potential access to contact details, limited to email and name/nickname.

Protecting our users is our utmost priority, and we believe in upholding transparency. By sharing this information, we aim to empower you to heighten your vigilance and enhance the security of your personal information.

Note: Although unconfirmed, we consider it our responsibility to inform our affected users of the possibility of their contact details having been exposed, and at risk of a phishing attack. Acting out of an abundance of caution and a commitment to transparency, we have emailed all of the 66,000 contacts alerting them to the scope of the incident. We expect all emails to be delivered to the contacts within the next 12 hours.

We are providing you with this information proactively out of an abundance of caution and our commitment to transparency. The potential exposure of email addresses might be harmful in the fact that the emails can be subject to phishing attempts. As of now, we have not observed any spike in phishing activity as a result of this security incident.

Detailed information

We continue to investigate the matter. Meanwhile here is a sequence of events, actions, and recommendations we can make as of now.

• The incident and what we know
• What contact information was involved?
• Our immediate response
• All funds remain safe
• Looking forward
• FAQs

The incident and what we know

On January 17th, 2024, 20:20 CET, we identified unauthorized access to the third-party support portal we use. This breach occurred at the level of that third-party service provider we are currently engaged with. We are amidst a thorough investigation into the scope of this incident, along with the third-party service provider.

Based on the ongoing investigation of the incident and our communication with the third-party service provider there is a potential that the contact details of up to 66000 users, customers who have interacted with Trezor Support since December 2021, may have been accessed.

During our investigation, we were alerted to the fact that the individual contacted 41 of our users directly via email, requesting sensitive information related to their recovery seeds.

Above is a screenshot of the email received by users from the malicious actor in the security breach.

We have reviewed these interactions and alerted each of the contacted users within an hour of the incident. No recovery seed phrases have been disclosed.

Furthermore, we also believe 8 people who created accounts on our trial discussion platform hosted by the same third-party vendor might have had their contact details compromised too. All 8 people have been directly contacted by our support team and made aware of the incident.

However, given the breach of contact details, there remains a heightened risk of phishing attacks aimed at obtaining the affected users’ recovery seed.

Note: Acting out of an abundance of caution and a commitment to transparency, we have emailed today, 20th January 2024, all of the 66,000 contacts alerting them to the scope of the incident. We expect all emails to be delivered to the contacts within the next 12 hours.

What contact information was involved?

Our audit indicates a possibility that the malicious actor may have accessed contact details limited to name/nickname and email addresses.

Please note, this incident has affected those users who may have interacted with our support team since December 2021. We understand the gravity of this situation and have reached out via email to all affected users, requesting an exercise of caution.

If you have not received the mail from noreply@trezor.io alerting you to the incident, your details are not at risk.

Our immediate response

Upon discovering the incident,

1. We immediately prevented any further unauthorized access. This included promptly revoking the malicious actor’s access and conducting a detailed audit of our access and operational logs. The risk from the attack was mitigated entirely from a technical perspective on January 17th, 2024 at 20:20 CET.
2. Our first contact with the third-party provider to estimate the scope of the unauthorized access happened on January 17th, 2024 at 20:26 CET. Initial reports from our third-party service provider indicated prompt attention to the issue, with assurances that no data exports or emails had occurred. We approached these claims with a critical eye, and following our own rigorous investigations, we were alerted of the 41 users who had been contacted by the malicious actor.
3. We promptly alerted each one of the 41 users who received direct contact from the malicious actor.
4. Based on our internal audit, the security incident could have implications for customers who have interacted with Trezor Support since December 2021. This aggregates to a total of up to 66,000 users, whose contact details (email and name/nickname) might have been exposed. Although we have not yet received definitive confirmation or denial of this exposure, we have chosen to act proactively. We have reached out to the potentially affected user base to alert them to the incident’s extent and to warn them of an increased likelihood of phishing attacks aimed at obtaining their recovery seed.

Since our initial engagement with the third-party provider after the incident, we have maintained ongoing communication through multiple email correspondences, interactions with their support team, and a formal inquiry with their security department. Despite these extensive communications, it is unfortunate that they have yet to reach a definitive conclusion. Our security team is tirelessly working to investigate and confirm the security of our systems, and we are pushing for clear and conclusive information from the provider to resolve this matter with the urgency it demands.

All funds remain safe

We want to stress that none of our users’ funds have been compromised through this incident. Your Trezor device remains as secure today, as it was yesterday.

The message today is the same as the day Trezor was created: do not enter your recovery seed anywhere unless in your Trezor device upon recovery. Users who are uncertain about the proper behavior of their wallet are more than welcome to contact our support at https://trezor.io/support.

We cannot stress this enough. It’s crucial to remember that Trezor will never ask for your recovery seed, over email, customer support, or any form of communication. Never share your recovery seed with anyone. If you receive any communication that asks for your seed phrase, it’s likely a phishing attempt, and we ask that you contact our official support channel.

Looking forward

We understand that this event may cause concern, and we sincerely apologize for any inconvenience it may have caused. We assure you that we will continue to work hard to enhance our security practices even further. Regrettably, dependence on and governance of third-party service providers are pervasive challenges of modern-day business; we are however closely assessing our partnership with the third-party vendor involved.

Please remain cautious and vigilant for potential phishing attacks. Here are some details and examples to help you identify phishing scams. Your Trezor hardware wallet has in no manner been compromised, and your assets are safe. However, the security of your digital assets also depends on your vigilance. Do not share your seed phrase with anyone, and be wary of any unusual or suspicious contact attempts.

Again, we express our deep regret for this incident and the concern it may have caused.

We thank you for your continued trust in Trezor.

For any concerns, or questions, or to report suspicious activity, please reach out to our support team.

FAQs

• Has this breach affected me? How can I know if my contact details were among those exposed?

If you received our notification email (from: noreply@trezor.io) regarding the security issue, your contact details might have been among those exposed by the malicious actor at the third-party support ticketing portal we use. Again, we want to stress that we have not yet received definitive confirmation or denial of this exposure from the third-part provider, but we have chosen to act proactively.

• Can you provide specific details about the nature and extent of the data breach?

An unauthorized individual accessed our support ticketing portal on January 17th, 2024 via our third-party support platform. This exposed names and email addresses of those customers who had previously contacted Trezor Support. Based on our internal audit, and very little concrete information from the third-party service provider, we believe no other personal identifiable information, including postal addresses and phone numbers, was exposed.

• How many customers are affected by this incident?

A total of 41 customers were contacted directly via email by the malicious actor. These users were requested sensitive information related to their recovery seeds. However, based on the information we’ve received from our third-party service provider, we believe there is a potential that the contact details (email and name/nickname) linked to up to 66,000 users in contact with our support since December 2021 could have been accessed.

• Besides email addresses, were there any other types of personal or sensitive data compromised in the breach?

Information disclosed was limited to the name/nickname and email address of customers who had contacted Trezor Support. It’s important to stress that customer postal addresses and phone numbers were not disclosed.

• How has this breach impacted Trezor’s operations or services?

Trezor devices remain entirely safe and secure. A small proportion of users are at risk of increased chances of phishing attempts, and as with all such attempts, we advise customers to stay vigilant and follow cyber security best practices. Customers can find information on this on the Trezor website.

• How can users be sure that interaction with Trezor Support is legitimate?

The safest way to access our Support is via our website. We always advise users to stay vigilant given the increased sophistication of phishing attempts. We remind users that no legitimate representative of Trezor will ever ask a user for their seed. Please NEVER share your recovery seed with anyone. In case of any doubts you may have, please reach out to our support team.

• What prevented Trezor from securing the data exposed in this incident better?

The data was exposed due to unauthorized access to the third-party support ticketing portal we use. Unfortunately, in the global business landscape, collaboration with third-party service providers is often essential, though it comes with inherent challenges. Despite our limited influence over these external entities, we prioritize the protection of sensitive data, including addresses. We regret any concern this incident may cause and are actively re-evaluating our relationship with the third-party vendor in question to strengthen our data security measures.

For more on best practices to be safe from potential phishing attacks, please visit our knowledge base,

Common scams and phishing affecting Trezor users