co founder of @metamask . Making computers behave for us.

Earlier this morning @danfinlay's account posted a message about a token. This message wasn't posted by Dan and we've been looking into what may have happened. 

We're still investigating and don't have a root cause yet, but believe this issue only affects this particular account. More details in thread.

Technowatermelon. Elder Millenial. Building Farcaster. 

nf.td/varun

The message about the token was posted at ~ 7:15am PT using Warpcast. 

A little before that, someone logged into Dan's account from a Windows machine. They used the email authentication flow to request a magic link, and appeared to be able to authorize it from Dan's email.

It's not clear how they were able to get authorization from Dan's email, and we're investigating this. We will post an update here soon. 

We're also going to add 2FA, so that users are more strongly protected if their emails get compromised.

email auth remains a critical attack vector. trustless > trusted systems