So outrageously bad security practices (citing the Solana wallet hack due to unencrypted seed phrases sent by Slope Wallet) are now the talk of the town. NEAR Protocol had received a bug report of a similar issue involving sensitive information being shared with a third party, which had been fixed the same day.
In a blog post, the developer-friendly proof-of-stake (PoS) blockchain shared an experience in which its team, which included security firm Hacxyk, faced a third-party security breach on June 6th.
For some users who had used email or SMS recovery with their wallets, a code change resulted in the collection of sensitive data.
The recovery seed phrase (group of words that allow access to a crypto wallet) was sent to the user’s email address, and when the user clicked the link, the seed phrase was leaked to a specific third party, the analytics platform Mixpanel.
Anyone who has access to the Mixpanel access log, or the Mixpanel account owner, will “have access to everyone” who has clicked the link in the recovery email.
NEAR was able to quickly address the situation by removing access to the data from a third party or its own employees, preventing the breach from posing a risk to user funds or privacy.
The blog post recommended that users who have previously used email or SMS recovery options rotate their keys by visiting wallet.near.org and then disabling email or SMS recovery.
Hacxyk wrote, “The seed phrase is also stored in the access log of the wallet.near.org. This is a bad practice because by default the full URL is logged in HTTP servers, and/or any middlewares, which can then be accessed later at any point.”