MetaMask Flags iCloud Backup Of Secret Recovery Phrases After User Loses $650K In Phishing Attack

MetaMask users on Apple devices were vulnerable to phishing attacks because iCloud backup for app data also includes the password-encrypted MetaMask vault, the popular crypto wallet warned its customers after an investor lost around $650,000 worth of digital assets to a scam.

MetaMask, a wallet that facilitates accessing Ethereum's Dapp ecosystem, alerted iOS users through its official Twitter account that keeping the wallet seeds, which are secret recovery phrase made up of 12 words, on iCloud could put the contents of the wallet at risk in the event the Apple account is compromised.

"If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds," MetaMask tweeted.

That was exactly what happened to a Twitter user who goes by the name Domenic Lacovone who said they lost almost $650,000 in digital assets - MAYC 28478, MAYC 8952, MAYC 7536, Gutter cat 2280, 2769, 2325 and $100,000 worth of ApeCoin. The user has offered a "100k reward" to those who could help retrace the stolen assets.

"This is how it happened, Got a phone call from Apple, literally from Apple (on my caller Id). Called it back because I suspected fraud and it was an Apple number. So I believed them. They asked for a code that was sent to my phone and 2 seconds later, my entire MetaMask was wiped," they said.

Though NFT marketplace OpenSea was quick to flag all stolen NFTs as "suspicious," several Twitter users claimed they had already purchased some of those NFTs. One user offered Lacovone that they could have the stolen NFT back at cost.

Lacovone expressed their frustrations after MetaMask posted the warning saying, "The problem is they don’t tell anyone they provide your seed phrase to iCloud. What’s the point of having it and storing it in a safe place if they are giving it out like that. The only thing @MetaMask should be storing is username and password. That’s it."

Metamask also detailed how users can disable automatic iCloud backups. "disable iCloud backups for MetaMask, specifically by turning off the toggle here: Settings > Profile > iCloud > Manage Storage > Backups." It also recommended turning off the feature to "avoid iCloud surprising you with unrequested backups in the future." To do this, users need to go to Settings, Apple ID/iCloud, iCloud and turn off iCloud Backup.