First and foremost, everything is safe, secure and untouched. We are back online and our security measures worked as intended.
On August 11th, we had a security incident related to a malicious actor gaining access into a personal email of our lead developer. This led to the actor accessing the hosting provider that the Mintable domain was purchased on. They did not change, or get access to Mintable’s server, just the domain name which was hosted on a third party site. Below is the timeline of what happened.
Early morning August 11th — lead developers phone was sim swapped via social engineering and negligence by the mobile phone provider.
An hour later — The email was recovered using the sim swapped phone and the hacker attempted to steal the crypto of the lead developer. After attempting to gain access into the crypto portfolio of the developer and failing, the hacker looked into other options for malicious behavior.
Around the same time — the hacker used the phone number on twitter to find the only account tied to it, Mintable’s.
This led to the hacker looking into Mintable and seeing what it was. We believe the hacker did not know about Mintable before hand and was simply targeting the personal emails of our developer to steal their crypto.
Once the hacker found Mintable, he searched the email history for it and found the domain purchase from 2 years ago where he then recovered the account for that third party site to access our domain.
Shortly after — the hacker posted on twitter saying he would delete the domain — our security protocol for the domain went into place and it was completely locked down, as well as the whole account. Taking the domain offline.
The hacker attempted to redirect the mintable.app domain to a youtube video, but it never actually happened as the domain was taken offline.
In an event of unauthorized access our first line of defense is actually to take our domain offline so no user can access the site and potentially damage it.
This worked perfectly and no user was affected by this event. (even though it was just a redirect to a youtube video as an attempt to troll).
After the sim was regained around 18 hours later, the domain was still locked and the site was still offline.
It took 2 to 2.5 days to check and confirm that access to our servers or any changes were not made. After which we could get everything unlocked.
There was never at any point any risk to our users. We don’t store any user funds, any user keys, any user NFTs on our servers. And additionally, our severs were not touched.
As mentioned earlier, we do not believe this was an attack on Mintable, but instead an unfortunate connection between a personal email and a tie to Mintable.
We are back online and everything is operational again. We’d like to thank MetaMask for their swift action to put Mintable on the phishing list and prevent users from visiting the site, even though our site was offline just for this exact reason – to protect our users.
We are implementing new security practices to remove any connections from personal emails to our company and, as most people would probably say — why are you using SMS 2FA and not google auth. We are using the highest level of 2FA available for each service.
This is why the only access that was able to be taken was the email, and the domain hosting provider. Both of those ONLY offer SMS 2FA, which was enabled, but they do not offer google auth. (we are looking into switching to better providers).
Again, no users have been affected, no code has been changed, no malicious activity has been detected.
We are very sorry that this happened and we are taking measures and implementing measures to prevent such activity from ever happening again.
Thank you for your support and patience during this event.