The NEAR Protocol, a Layer 1 blockchain, has alerted users that SMS and email data is used as a primary wallet recovery option. The leak was leaked to a third party in June, with NEAR saying the issue was resolved before the harm happened.
NEAR Protocol wallet offer at wallet.near.org allow user Added recovery options including email or phone number data to crypto wallet accounts where sensitive information was accidentally disclosed to third parties.
NEAR said it was able to deal with the situation quickly by removing access to data from third parties or its own employees. To prevent such violations from threatening the security of funds or the privacy of users.
“The wallet team immediately corrected the situation,” the team said.
On June 6th, web3 security audit firm Hacxyk reported the bug. It received a reported reward of $50,000. However, the NEAR Protocol team has not released information until now.
Hacxyk said the third party Near identified was Mixpanel, an analytics service used by NEAR.
“We believe this is very similar to the latest Slope wallet hack on Solana, in short, the seed phrases accidentally leaked to the analytics service Mixpanel. When a user selects email/SMS as their seed phrase recovery method, that means the user’s seed phrases are stored on Mixpanel’s servers,” Hacxyk said.
As a security measure, the NEAR Protocol says it no longer allows users to create accounts using email or SMS for account recovery. It is also recommended that users who previously used email or SMS recovery options with their NEAR wallet “rotate keys” or add a hardware wallet such as Ledger.
Wallet accounts for NEAR are slightly different from Ethereum, where crypto accounts can have multiple keys with different permissions, where NEAR is telling users to revoke a potentially leaked key set and add a new set of keys to replace it.
The post NEAR Protocol reveals that email and SMS recovery for user wallets were leaked in June. But it was fixed in time appeared first on Bitcoin Addict.