NEAR Protocol, a Layer 1 blockchain, notified users that SMS and email data used as recovery options in its core wallet offering were leaked to a third party in June. In a new report, NEAR said the issue was resolved before any harm was done.
NEAR Protocol’s wallet offering at wallet.near.org allows users to add recovery options including email data or phone numbers to their crypto wallet accounts. A bug in the system accidentally exposed sensitive details to a third party.
NEAR said it was able to quickly address the situation by deleting access to the data from the third party or its own employees, preventing the breach from being a threat to funds security or privacy of users.
"The wallet team immediately remediated the situation, scrubbed all sensitive data, and identified any personnel who could have had the ability to access this data," the team said.
The bug was reported on June 6 by a web3 security auditing firm called Hacxyk, which was paid a $50,000 bounty. Still, the NEAR Protocol team had not shared the information until now.
Hacxyk told The Block that the third party was Mixpanel, an analytics service, which NEAR used. Hacxyk compared the incident to the ongoing Slope Wallet issue in which wallet details were accidentally transmitted to a centralized server. It added that in NEAR's case, private keys may have been compromised as well.
"We believe the nature is very similar to the recent Slope wallet hack on Solana. In short, the seed phrases were unknowingly leaked to the third party Mixpanel, an analytics service, when users chose email/SMS as the seed phrase recovery method. This means users’ seed phrases are stored into Mixpanel’s server," Hacxyk said.
As a security measure, the NEAR Protocol said it no longer allows users to create accounts using email or SMS for account recovery. It also advised users who had previously used email or SMS recovery options with their NEAR wallet to "rotate their keys" or add a hardware wallet, such as Ledger.
Per Hacxyk, the wallet account model for NEAR wallets is slightly different from Ethereum. A crypto account can have multiple keysets with different permissions. By rotating private keys, NEAR is telling users to revoke the potentially leaked keysets, and add fresh ones to replace them.