Protecting Your Fortmatic Account in Light of Recent Breaches

The crypto market is on the rise, and along with it, mass credential breaches and password leaks on the Internet. This is exemplified most recently with the Ledger customer database breach, but there have been several other mass data/credential leaks throughout 2019–2020 such as those listed on HaveIBeenPwned, and many companies (TaskRabbit for instance) have experienced suspicious activities in the wake of these leaks (likely credential stuffing attacks).

Unfortunately, we have recently received a couple of isolated reports of account takeover from malicious actors who logged into victims’ Fortmatic accounts with leaked passwords. After a series of thorough investigations, we are confident that there are no breaches into Fortmatic’s infrastructure and the integrity of our delegated key management remains sound. However, it is clear to us that a reminder of best practices for security may be necessary. We are also making some changes that we hope will encourage end-users to have better security practices when using Fortmatic. This post details some best practice suggestions and highlights a change we are going to be enforcing.

First, the most critical suggestion we can make is to never reuse your passwords across services, and to use more than one authentication method for your services. The best defense against a hacker using your password is to simply not reuse passwords across services. You can also increase your security by using a second method of authentication (such as a mobile 2FA app) that ensures someone who has access to your password alone can’t access your account without additional information you alone are in possession of.

Second, on the topic of using multiple authentication methods, we are announcing that Fortmatic will now require that all end-users of Fortmatic use, at a minimum, email 2FA for all user login authentication moving forward. We understand from our discussions with end-users and developers that this may impact the overall user experience of Fortmatic. However, our primary goal is to deliver secure software that can be used by people of all technical abilities and can reliably be used to hold and self-custody their funds securely. Given the increasing number of recent attacks, we feel that the risk to most users from not having mandatory 2FA outweighs the inconvenience of not being able to disable basic 2FA for power users and developers.

However, email 2FA is a bare minimum and is not an ideal authentication method. This is often because if your credentials have been breached in a third party attack and you are reusing credentials for email, your email can also be compromised (though many email providers do have measures to protect you against this). As such, while we are not requiring that you use other methods of authentication, we will continue to monitor the situation and may require stronger forms of 2FA. In the future, our longer-term plan is to go fully passwordless, since passwords are becoming obsolete in terms of account security, but in the meantime, securing your credentials is critical.

To ensure further protection of funds, we also recommend Fortmatic users to:

• Update your current password to a randomly generated one using password managers like 1Password, especially if your password is reused elsewhere or is simple/short.
• Setup secure 2FA using authenticator mobile apps such as Google Authenticator or Authy.

Both of these actions can be done via the Fortmatic user settings panel.

While we have only received a couple of reported cases from the Fortmatic side, we would still like to err on the side of caution and urge you to do the same, especially now that hackers have likely acquired information that helps them identify crypto user emails or other personal identifiers from the recent Ledger breach. If you are reusing passwords with your Fortmatic account, you are especially at risk of phishing and credential stuffing attacks in the wake of recent breaches. Reusing your password across services and keeping it as the sole method of authentication should never be done and puts all of your funds at risk, since at least 59% of users re-use their passwords across services, a breach anywhere is a security risk everywhere.

We are close to wrapping up this gauntlet of a year— it’s difficult enough to stay physically safe, let’s make sure that our crypto stays safe too, and enjoy a peaceful holiday season and new year.