Wallet Keys Stolen
A wallet with over half a million dollars was emptied recently because of a hacked Apple account, where the seed phrase for a metamask wallet was stored in an iCloud account with two-factor authentication enabled. This highlights that cloud storage is not recommended for storing wallet keys
Hacked Through Telephone Call
2FA Secures account but not the user
The number one way to compromise an account is by communicating with the human with auth access, in this instance the fault is not with Apple nor MetaMask, who both overall offer sound security advice. The weak point in this situation was the person who had correctly secured their account with two-factor authentication (2FA), but then didn’t realise the extent someone would go to engineer the handing over the two step auth code to a cold caller
Secured by default
I have been through the installation process for MetaMask on iOS and at no point did the OS try to back the seed phrase up to iCloud, as it does with other passwords when setting up apps or logging into websites. This should serve as a sobering reminder that who controls the keys to a wallet has total control of the value inside the wallet
Here is the advice given by the MetaMask iOS app during setup, at no point does it tell you to save it to a cloud storage device, anything connected to the internet is vulnerable to being pwned remotely. Cold storage requires access to a physical location to access the recover seed phrase
Security in the Web3 world has a learning curve and it’s important to note the value in cryptographically secured assets are wholly owned by the person who holds the key, no institution, bank or company can sanction the removal of the funds
TLDR; An iCloud account with 2FA enabled was compromised where the seed phrase for a MetaMask wallet was stored costing the owner of the wallet over half a million dollars
