According to the sources MetaMask warns Apple users to disable automatic iCloud backups of their MetaMask wallet data, as their master password is being stored online. The MetaMask warning came in response to reports from an NFT collector on Twitter known as “revive dom,” who stated on April 15 that their entire wallet containing $650,000 in digital assets and NFTs was wiped due to this specific security issue.
The security issue for iPhone, Mac, and iPad users is related to default device settings that store a user’s seed phrase or “password-encrypted MetaMask vault” on the iCloud if the user has enabled automatic backups for their app data. MetaMask stated in a Twitter thread posted on April 18 that users risk losing their funds if their Apple password “isn’t strong enough” and an attacker is able to phish their account credentials.
DAPE NFT project founder “Serpent”– who also helped and gained the attention of MetaMask by posting sharing the story with their 277,000 followers – gave a rundown of what happened to the victim in a separate thread earlier today. They reported that the victim received multiple text messages asking him to reset his Apple ID password, as well as a phoney call from Apple that turned out to be a spoofed caller ID.
Because they were apparently unaware of the caller, “revive dom” provided a six-digit verification code to prove ownership of the Apple account. The scammers then hung up and gained access to his MetaMask account through data stored on iCloud.
After MetaMask warning “revive dom” expressed his displeasure with the MetaMask, noting that:
“I’m not saying they shouldn’t do it but they should tell us. Don’t tell us to never store our seed phrase digitally and then do it behind our backs. If 90% of the people knew this I would bet none of them would have the app or iCloud on.”
While the majority of the community was supportive, others were quick to point out the importance of using cold storage and conducting extensive due diligence when storing assets in a hot wallet.