Important Telos Ecosystem Update
A very small number of users had their accounts compromised in a private key-sniffing malware incident earlier this week.
Yesterday, Douglas Horn, chief architect of the Telos blockchain, joined us on a community update to talk about what we know and offer some personal security best practices. You can watch the AMA below.
Short on time? Here’s an overview:
- 10 users had their accounts cleared of funds
- We believe Telos Sign was the commonality between users
- To clarify, neither the Telos EVM or the Telos blockchain were compromised
- Users’ private keys were most likely obtained via a form of malware that attached itself to the users browser, which acquired information such as private keys that were pasted into the browser.
- Lots of metadata was left behind from the transfers between accounts which is progressing the investigation
Safety Precautions
Investigations are ongoing to determine the exact source of the incident. The Telos Core Team has been working closely with those affected. We appreciate the patience and cooperation of everyone involved.
If you have reason to believe that another party may have gained access to your private keys, we recommend that you move your funds to a new account as a safety precaution. Alternatively, more experienced users may prefer to change their owner and active private keys on their current account. As always, the best practice is to have separate keys for both your owner and your active keys. You can learn how to reset your keys here.
Also, if you have a large amount of crypto assets, it’s always a good idea to have two separate accounts. One which you use as a spending wallet, holding a small amount of tokens for your day to day transactions, and the other as a savings account holding the bulk of your crypto assets.
As an additional measure, users can stake their tokens in REX and move them into REX Savings. This will create a 4-day buffer between unstaking and receiving funds. Then, consider using a tool such as The Telescope Bot to be notified of account activity.
Telos Sign has been taken down for maintenance. We encourage users to utilize a reliable wallet for the time being, such as Anchor Wallet, until the investigation is complete. You can download Anchor Wallet here. You can follow this guide to import your keys into Anchor Wallet.
We will be releasing further documentation on this process and other best-practice security processes in the coming days.
Next Steps
The Telos Core team is diligently reviewing this issue with those affected. If you were one of those users, please get in touch at hello@telosfoundation.io. Never reply to emails or messages from people claiming to be part of the Telos Core Team unless you have initiated the conversation. We will never message you first.
Members of the community and the Telos Core Team have begun exploring options to return funds to those affected. However, our number one priority is to understand what happened and ensure the safety of other users.
We will provide a more detailed update as soon as we gather more information and have concrete details to share with our community.
