Near Protocol has disclosed a breach that might have exposed sensitive information to a third party about the seed phrases of its wallet users.
In a blog post, Near confirmed that the breach was reported to them on June 6 by security audit firm Hacxyk – who were rewarded with a bounty. The firm fixed the issue immediately.
“While the team was aware of this threat, and careful to sanitize data collected by the third party service, a code change nevertheless resulted in the collection of sensitive data for some users who had used email or SMS recovery with their wallets.”
Hacxyk confirmed the mentioned third party to be “mixpanel.com” over a Twitter thread explaining the breach.
The security firm wrote:
“A POST request is made to http://mixpanel.com containing the base64 encoded version of the URL, which contains the seed phrase of the user. This allows anyone with access to Mixpanel access log, or the Mixpanel account owner (e.g. Near devs) to have access to everyone who has clicked the link in the recovery email,”
Hacxyk shared the information publicly because it was technically not so different from the recent Solana wallet hack – where a Slope wallet vulnerability led to a loss of $6 million worth of crypto from more than 10,000 wallets.
Interestingly, Near or Hacxyk didn’t reveal the incident to the public when it happened back in June.
Even though Near hasn’t found a report of damage from anyone yet, it advises users who have previously used email or SMS recovery options to rotate their keys. The blockchain network has also stopped offering both recovery options.