Security Briefing: Reflections on a hack, emails on the loose

This week, we caught up with a well-known bitcoiner to recap a hack he experienced last year and what we learned. Let's dive in!

Listen: Guarding your bitcoin from X attacks

We've seen many high-profile hacks on X (formerly Twitter) in recent years, including the infamous SEC hack on the eve of bitcoin ETF approval a few months ago. What happens behind the scenes when a hack occurs?

Pete Rizzo found out a year ago. The longtime bitcoin historian and journalist's X account was commandeered by a malicious actor shilling a token.

Rizzo was able to eventually regain control of his account but he made some other discoveries along the way. For instance, his phone number had been SIM-swapped at his telecom provider. He also learned how to lock down his X account and close potential points of entry.

"It was a very exhausting process," Rizzo said. "When your digital security is under attack like that, you realize the extent that you're exposed," Rizzo said.

Casa co-founders Nick Neuman and Jameson Lopp sat down with Rizzo yesterday on X Spaces in a retrospective about the hack, what Rizzo learned, and what it means for every bitcoiner. To listen, log into X and catch a recording here.

Almost 2 million contacts leaked from CoinGecko email provider

Crypto price tracker CoinGecko confirmed Friday that it had sustained a data breach via a third-party email platform earlier in the week.

An attacker compromised an employee account at GetResponse, the platform in question, and exported nearly 2 million contacts from CoinGecko's account. The compromised data includes names, email addresses, location of email opens, and IP addresses.

Thousands of phishing emails were reported to be circulating as well.

"Any email claiming to offer token airdrops by CoinGecko or GeckoTerminal are unauthorized emails sent by the attacker," the company said in a statement. "We do NOT have any officially issued coins or tokens."

🔑 Key Insight: Never trust an email and consider segmenting your email using multiple single-use addresses to reduce exposure from events like this one. Apple's "Hide My Email" address can be helpful for iOS users, and SimpleLogin is a viable alternative for Android users.

Attacker sends nearly 24,000 phishing emails derived from compromised CoinGecko third-party email platform

The attacker exported nearly 2 million contacts from CoinGecko’s GetResponse account before sending 23,723 phishing emails.

The Block[email protected]

5 ways to personalize your Casa vault

You might know Casa vaults have multiple keys, but do you know everything you can do with your vault?

For instance, you don't have to use a mobile key in a 3-key vault. You can opt for a second hardware wallet. This option is great for those who don't want a key on a device they carry around all the time.

This introduction gives you several great paths to level up your self-custody. Check out these less-known features. Read more below:

5 ways to personalize your Casa vault

Looking to make the most of your self-custody? Check out these must-know Casa features.

Casa BlogJohn Tinkelenberg

🎉 Fun fact: Ethereum test networks are named after metro stations around the world. For instance, Sepolia, the default recommended testnet on ethereum.org, shares a name of a station in Athens, Greece.

Don't miss out on future updates

Leading-edge security is always changing. Our weekly Security Briefing can help you stay in the know on security, bitcoin, and other digital assets. Sign up for free and get future editions delivered straight to your inbox.