• The NEAR Protocol has revealed a breach of email and SMS data associated with user wallets

  • NEAR Protocol, a Layer 1 blockchain, informed users in June that SMS and email data used as recovery options in its primary wallet service had been compromised by a third party. NEAR stated in a fresh report that the problem was fixed before any harm was done.

    Users can add recovery alternatives such as email addresses or phone numbers to their crypto wallet accounts by visiting wallet.near.org. A system bug unintentionally disclosed sensitive information to a third party.

    NEAR stated that it was able to immediately address the matter by removing access to the data from a third party or its own personnel, avoiding the breach from posing a risk to customer finances or privacy.

    “The wallet team immediately remediated the situation, scrubbed all sensitive data, and identified any personnel who could have had the ability to access this data,” the team said.

    The flaw was discovered on June 6 by Hacxyk, a web3 security auditing business that was granted a $50,000 prize. Nonetheless, the NEAR Protocol team had not yet disseminated the information.

    According to Hacxyk, the third party was Mixpanel, an analytics tool that NEAR used. Hacxyk likened the situation to the current Slope Wallet problem, in which wallet information was inadvertently transmitted to a centralized server. It further stated that in the instance of NEAR, private keys may have been compromised.

    “We believe the nature is very similar to the recent Slope wallet hack on Solana. In short, the seed phrases were unknowingly leaked to the third party Mixpanel, an analytics service, when users chose email/SMS as the seed phrase recovery method. This means users’ seed phrases are stored into Mixpanel’s server,” Hacxyk said.

    The NEAR Protocol stated that as a security measure, it no longer permits users to register accounts through email or SMS for account recovery. Users who had previously used email or SMS recovery options with their NEAR wallet were also encouraged to “rotate their keys” or add a hardware wallet, such as Ledger.

    According to Hacxyk, the wallet account model for NEAR wallets differs differently from that of Ethereum. Multiple keysets with varying permissions can be associated with a crypto account. By rotating private keys, NEAR instructs users to revoke potentially leaked keysets and replace them with new ones.

    What's your reaction?