MetaMask, the Web 3.0 platform behind the eponymous, ultra-popular crypto wallet with more than 21 million monthly active users, announced an iCloud vulnerability that pricked the ears of digital-asset holders with Apple devices.
Apple-owning MetaMask users who have iCloud backup enabled are jeopardizing their cryptocurrencies and/or NFTs. Why? When iCloud stores your information on Apple's remote servers, it includes your password-encrypted MetaMask vault. If you have a weak password, or you fall victim to a phishing attack, hackers can take advantage and skip away with stolen funds.
🔒 If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on 👇) 1/3April 17, 2022
AppleInsider pointed out a real-life incident in which a MetaMask user, Domenic Iacovone, lost several NFTs and $100,000 in ApeCoin, an ERC-20 (i.e., Ethereum-based) token, due to a phishing attack.
Iacovone received a call on his iPhone "that read as an Apple number on his caller ID," AppleInsider said. When he called the number back, the scammer asked for a two-factor authentication code that was sent to his device. He obliged. Seconds later, his entire MetaMask wallet was wiped.
This is how it happened, Got a phone call from apple, literally from apple (on my caller Id) Called it back because I suspected fraud and it was an apple number. So I believed themThey asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wipedApril 14, 2022
As it turned out, the scammer managed to snag Iacovone's iCloud credentials. Apple's two-factor authentication code was the final layer of security protection that could have prevented Iacovone from losing all of his digital valuables, but unfortunately, he fell for the hacker's bait hook, line and sinker.
The malicious actor tried to sell the swiped NFTs on OpenSea, a popular marketplace for non-fungible tokens, but OpenSea flagged the stolen digital collectibles as suspicious. When this happens, the NFTs are locked; they cannot be sought, sold nor transferred using OpenSea.
Unfortunately, as of this writing, Iacovone is seemingly still trying to recover his assets.
How to stop iCloud from backing up your Metamask data
Apple users can disable iCloud backups for Metamask by navigating to Settings > Profile > iCloud > Manage Storage > Backups.
Another way to secure your Metamask is to use a crypto hardware wallet like the Ledger Nano X and Ledger Nano S Plus. Hackers can't do anything with your assets because they'd need to physically have your hardware wallet, along with your pin code, to manage your crypto and/or NFTs.