MyDashWallet was compromised by hackers for two months

MyDashWallet, a cryptocurrency wallet that supports DASH, has revealed that it has been compromised for the past two months. In a post on the Dash forum, the marketing manager for the wallet Michael Seitz urged the users to quickly move their funds or risk losing their DASH tokens entirely, if they hadn’t been stolen already.

Seitz wrote:

Today it was discovered that mydashwallet.org was compromised. The hacker was able to obtain private keys used between May 13th and July 12th. Out of an abundance of caution, anyone using mydashwallet.org in that timeframe should assume their private keys are known by the hacker and should immediately move any balances out of that wallet.

It all started in April 2018, when MyDashWallet was modified to load an external script from GreasyFork, a script hosting website. On May 13, 2019, a hacker compromised the GreasyFork account of the original author of the script, adding code that sent users’ private keys to an external server. According to another DASH representative, Leon White, who also posted on the forum, the change to the code was only detected two months later on July 12 after the hacker used the private keys to move user funds.

The extent of the damage is not yet known. However, MyDashWallet users have been advised to transfer any DASH they hold in their wallets as fast as they can, with the hacker believed to hold many of the users’ private keys. 1

For one user named FabioEcoe, his wallet was raided and he saw 143.84 DASH ($17,500) stolen by the hacker.

While the operators of the wallet have come under intense criticism from the crypto community, one security expert pointed out that the integration of third-party code is a problem that affects all industries in the digital ecosystem.

Deepak Patel, a security expert at cybersecurity firm PerimeterX, told Silicon Angle:

An understanding of digital ecosystems, especially third-party code, is a problem for a plethora of organizations. While it is a perfectly normal part of building an online environment to engage third-party code providers and affiliates, it creates a murky world of shadow IT and organizations rendering on an organizations’ website that has not been properly vetted by said organization. This leaves the digital supply chain of the web properties vulnerable to JavaScript hacks such as this, as well as to legislative penalties as a result of GDPR or other similar privacy legislation.

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.