Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home General
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Anyone got Metamask Phishing mail on your Berohost specific Email

13»

Comments

  • blip1945blip1945 Member

    That unique email alias per service and website really does wonder, let you pinpoint exactly where the supposed breach originated from because that alias is unique to that specific provider only. Wasn't even that hard to manage with a password manager to store which alias to which service and website url.

    Thanked by 3oloke Nekopara Decicus
  • olokeoloke Member, Host Rep

    I registered on @berohost today in hopes of getting some nice phishing email but so far no luck... :(

    Thanked by 12tentor Nekopara beanman109 buggedout admax Decicus COLBYLICIOUS Murv JohnnySac tux Saragoldfarb forest
  • barbarosbarbaros Member

    @oloke said:
    I registered on @berohost today in hopes of getting some nice phishing email but so far no luck... :(

    Hello just DM us your password to save us time

    Thanked by 5oloke beanman109 buggedout Decicus Murv
  • DejavuMoeDejavuMoe Member

    I checked my email and the spam/junk folder, but didn't find a similar email.

    Thanked by 1oloke
  • stan1999stan1999 Member

    Return-Path: 010f019d2fe2c336-8d8d7d4c-b9f9-4478-ad7f-bfa279e19447-000000@us-east-2.amazonses.com
    Delivered-To: 123@onlybero
    Received: from XXX
    by XXX with LMTP
    id qoVbJXagxmkSDjQA2EibDg
    (envelope-from 010f019d2fe2c336-8d8d7d4c-b9f9-4478-ad7f-bfa279e19447-000000@us-east-2.amazonses.com)
    for <123@onlybero>; Fri, 27 Mar 2026 23:21:26 +0800
    Received: from e226-3.smtp-out.us-east-2.amazonses.com (e226-3.smtp-out.us-east-2.amazonses.com [23.251.226.3])
    by XXX (Postfix) with ESMTPS id A9BC2181D16
    for <123@onlybero>; Fri, 27 Mar 2026 23:21:25 +0800 (CST)
    Authentication-Results: 123@onlybero;
    dkim=pass (1024-bit key; unprotected) header.d=amazonses.com header.i=@amazonses.com header.a=rsa-sha256 header.s=ndjes4mrtuzus6qxu3frw3ubo3gpjndv header.b=uGB4BC6P;
    dkim-atps=neutral
    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=ndjes4mrtuzus6qxu3frw3ubo3gpjndv; d=amazonses.com; t=1774624883;
    h=Content-Type:MIME-Version:From:To:Subject:Message-ID:Date:Feedback-ID;
    bh=2lg1TSp00bHyPjXST9BwV0dLb1nBOeh0XdYb7unuGUo=;
    b=uGB4BC6PvIFw33jg0v0VdDahg/sev/gemDV1D40wOlwu39EObyQzWuCN7xApgK1O
    sMWXPbx+LojAxB2BuZcuv6lpv7pZ+5Ln6btKzNhK7dmg80AzwF+G63fDi9Ed0Cb8iCz
    WDJgExI2P8Ypa+dKYKW7kFV8X2JAaDBXtoUHxvJU=
    Content-Type: multipart/mixed; boundary="===============2242680903292248951=="
    MIME-Version: 1.0
    From: "metamask.io" declaraciones@scep.gob.gt

  • ascicodeascicode Member

    Any news for this case?

  • suyadi92suyadi92 Member

    @oloke said:

    @default said:

    @Neoon said:
    I also got the phishing mail, same sender etc.
    Someone def. breached something.

    @sillycat stop smoking - it's unhealthy :neutral:

  • muhbootloadermuhbootloader Member

    This is the first time I've seen this

  • JohnFilch123JohnFilch123 Member

    Got the same email but from no-reply@vuala.com on 28 Mar.

    ended up in my spam, so have not noticed it.

    Thanked by 1oloke
  • ymlsmymlsm Member

    It's incredible that there's still no meaningful information about what happened. It's now the fourth day, and no one from Bero has released any statement, even though the evidence points 100% to a leak on their side.

    Thanked by 1oloke
  • JosephFJosephF Member

    Perhaps they have no idea how it happened.

    Thanked by 1iKeyZ
  • magicvpnmagicvpn Member

    Since nobody posted it here yet and I just got home from work:

    Thank you for your report.

    We take reports of this nature very seriously and have conducted a comprehensive review of the matter. As we wanted to carry out a thorough internal analysis first, our response has unfortunately been slightly delayed. With this message, we would like to provide you with a transparent interim update on our findings to date.

    On March 27, we were informed by a small number of customers that they had received a phishing email purporting to be from MetaMask, sent to the email address registered with BERO HOST. In the days that followed, we received additional reports regarding emails with the same or very similar content. Based on our current knowledge, this appears to affect only a very small portion of our customers. Regardless of the number of reports received, we immediately treated the matter with the utmost seriousness and initiated a comprehensive investigation.

    Within approximately 24 hours, we thoroughly reviewed all relevant systems that process, store, or otherwise interact with customer data. This included, in particular, our central customer database and shop system, our web hosting systems, domain management, and our internal mailing list and newsletter systems. In addition, we evaluated access logs, system logs, and monitoring data, and reviewed login events, administrative access, API usage, export capabilities, and any unusual system activity. Based on our current findings, we have identified no evidence of unauthorized access to these systems. At this time, we have no indication that customer data was exfiltrated from our core systems.

    In the days following the initial reports, we also received notifications via our Discord server and several online forums. These, too, consisted only of isolated reports. In addition, we conducted internal checks using our own email accounts and contacted more than 250 customers to determine whether they had received similar emails. Based on the responses available to us, this was not the case. According to our current understanding, only a very small subset of our customers appears to have been affected by this specific observation.

    Since March 27, we have also been contacted by more than 100 individuals who stated that they received the same or a very similar email at the same time, despite never having registered with us. This suggests that the distribution of these phishing emails may not be exclusively related to our customer data and that other data sources may also be involved.

    We would like to state explicitly that, at this time, neither our internal investigation nor the additional review conducted by an external security firm has identified any evidence of unauthorized access to our systems. The reports received so far relate exclusively to the receipt of phishing or spam emails. No other security-relevant abnormalities, such as unauthorized access to customer servers or other services, have been reported to us in this context.

    Even though we currently have no indication of unauthorized access to our systems, we recommend that you review your account security as a precaution. Please change the password for your customer account and any services you use with us if needed. We also strongly recommend enabling two-factor authentication (2FA), if you have not already done so.

    Please also do not open links or attachments contained in suspicious emails, and in particular, do not enter any login credentials, private keys, or payment information on linked websites. If you have already interacted with such an email, you should immediately change any affected passwords, review your existing security settings, and secure any connected accounts as necessary. Taking these steps can further reduce the risk of potential misuse.

    Our analysis is not yet complete. We are currently continuing to examine possible causes, including potential data leaks involving third-party providers or other internal services. In addition, we are reviewing our internal access and authorization models as well as historical access possibilities to certain data sets, particularly with regard to email addresses. In some areas, we are dependent on cooperation with third-party providers, as we do not have full API logs or internal monitoring data from external service providers in all cases.

    Should we ultimately conclude that, contrary to our current understanding, personal data was in fact compromised from our systems, through improperly used access rights, or via connected third-party providers, we will of course inform affected customers without delay and, where required, notify the competent data protection authority in accordance with the GDPR.

    Regardless of the outcome of the ongoing analysis, we are already working to further strengthen our systems and processes. Together with an external security firm, we are currently developing additional measures to improve the protection of our internal systems and further reduce potential security risks. We are also planning enhanced security awareness and training measures for all employees.

    Of course, we remain available at any time should you have any further questions.

    Best regards,

    Thanked by 6oloke maverick blip1945 DanSummer Jessib404 forest
  • kenjing789kenjing789 Member

    So anyone drafting post on Requests yet so i can grab some bero juice ?

    I didnt get the mail and as them statement, i have 2FA up so might be SQL injection or auth bypass

  • NekoparaNekopara Member

    no idea how anyone would get my exclusively generated email alias for bero-host. i find it really unlikely that simplelogin was breached

    Thanked by 2tentor oloke
  • JosephFJosephF Member

    @Nekopara said:
    no idea how anyone would get my exclusively generated email alias for bero-host. i find it really unlikely that simplelogin was breached

    If SimpleLogin was breached you'd see the same spam on your other aliases with them.

    Thanked by 1tentor
  • ObelousObelous Member

    @magicvpn said: contrary to our current understanding

    lol

  • magicvpnmagicvpn Member

    @Nekopara said: i find it really unlikely that simplelogin was breached

    I don't even use simplelogin, it would have to be bitwarden that would be breached for me. Though I use berohost@, but what are the chances of someone knowing my domain name is associated with berohost?

  • yoshikiyoshiki Member

    @magicvpn said:

    neither our internal investigation nor the additional review conducted by an external security firm has identified any evidence of unauthorized access to our systems.

    @berohost I'm sure the external security firm sent you a PDF security audit, so... can we have it?

  • Jessib404Jessib404 Member

    lol that PR statement is a joke. "contrary to our current understanding" basically just means their logging is terrible and they dont have the data to prove who dumped the database.

    I dont buy the deflection to third party providers at all. lots of us never even opted into any newsletters or extra services. if some external third party provider leaked this, why is our data sitting on their systems in the first place? pointing the finger at vague external services because they "do not have full API logs" from them is classic damage control.

    also I know for a fact my email alias was a completely unique random string generated just for bero. you literally cant guess it. I dont know how cryptic everyone elses aliases were, but multiple people here confirmed using dedicated bero only addresses. if a provider like simplelogin actually got breached there would be massive threads everywhere about it. but its strictly the bero specific aliases getting hit.

    and look at the numbers claimed in that statement because they make zero sense. they say only a "very small subset" of customers or "isolated reports" got affected. but then they claim "more than 100 individuals" contacted them saying they got the email despite never registering with bero. really? so more random people went out of their way to contact a small host than their actual customers did? in this whole thread we have exactly one person claiming they got it without an account, and we cant even confirm if thats true or if they just forgot an old account. I honestly think these numbers are completely fictional just to downplay the breach and make it look like some random spam campaign instead of a bero leak.

    my guess is their logs are gone or not setup right to catch whatever happened. maybe that livewire bug or someone grabbed an admin login. the attacker just dumped the tables and sold it for cheap on some forum and now some buyer is feeding it into an automated botnet with generic metamask crap. the original attacker is long gone.

    honestly it seems like they are just denying it to dodge the mandatory data breach reporting. having to officially tell the privacy authorities is a massive headache and a ton of paperwork that nobody wants to deal with.

    unless we are dealing with some insane coincidence, all signs point directly to a leak of the customer database. since we cant know what else was taken i am treating it as fully compromised. I moved my vps data out, wiped everything and im letting it expire. if anyone still has sensitive stuff there you should really think about moving until they drop a real technical post mortem instead of this PR fluff.

  • ascicodeascicode Member

    At least there was no continued mails send by the victims so far. But its bad for most of us, using mail adresses with others too.

  • lowendlurkerlowendlurker Member
    edited April 2

    Also bero only address, account registered ~1year ago but never used any of their service.
    They put effort in the headers but good ol' rspamd put it to junk ❤️

Sign In or Register to comment.