Cyber Incident Victim: ConsenSys
Date:
Aug 2021
Location:
Ireland
Summary
A cybersecurity incident impacted a third-party customer support provider used by ConsenSys for MetaMask, resulting in unauthorized access to user-submitted data within support tickets over an extended period. The breach exposed limited personal information such as email addresses, though free-text fields in tickets could have included additional user-provided details like names, contact information, or financial data, affecting approximately 7,000 individuals globally. The core MetaMask applications remained unaffected, with the company terminating the unauthorized access, notifying relevant data protection authorities, and initiating forensic investigations alongside enhanced third-party risk management protocols to prevent recurrence.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A cybersecurity incident involving ConsenSys and its MetaMask product occurred due to unauthorized access to systems operated by a third-party customer support ticketing provider. The breach impacted users who submitted personal data through MetaMask customer support channels between August 1, 2021, and February 10, 2023. Attackers compromised the service provider's infrastructure, gaining access to support tickets containing user-submitted information. While MetaMask explicitly requested only limited personal data such as email addresses for support purposes, the free-text fields in support tickets allowed users to voluntarily enter additional sensitive information. This optional data could include full names, dates of birth, phone numbers, postal addresses, and financial details. The incident did not affect the security of the MetaMask browser extension or mobile application, nor did it impact users who never contacted customer support during this period.
ConsenSys discovered the breach in August 2021 and contained the unauthorized access by February 2023. The company estimated approximately 7,000 global users had their support ticket data exposed during the 19-month vulnerability window. Response measures included terminating the unauthorized access, reporting the incident to Ireland's Data Protection Commission and the UK's Information Commissioner's Office, and collaborating with the third-party provider's cybersecurity forensic team. ConsenSys implemented additional safeguards to prevent recurrence while developing an enhanced third-party risk management program. Affected users received notifications despite technical limitations preventing precise identification of all compromised accounts. The company reiterated standard security advisories warning users against phishing attempts and emphasized that legitimate support never requests secret recovery phrases. Forensic investigations confirmed the breach remained isolated to the third-party ticketing system without compromising MetaMask's core wallet functionality or blockchain interaction capabilities.