UPDATED 22:10 EST / JULY 15 2019

BLOCKCHAIN

Funds stolen in hack of MyDashWallet cryptocurrency service

MyDashWallet, a popular wallet service for users of the Dash cryptocurrency, was compromised and user funds stolen for a period of two months.

Dash, currently the 15th most popular cryptocurrency by market capitalization, operates as a decentralized autonomous organization run by a subset of users. A fork from the bitcoin protocol, the cryptocurrency has found a willing audience — hence its appeal to hackers looking to profit from its theft.

The attack involved a hacker or hackers exploiting a vulnerability in an external library used by MyDashWallet to gain access to the service on May 13. Over the following two months, those behind the hack exploited the vulnerability to insert malicious code that automatically sent the private keys of MyDashWallet users to an external server.

The exploit was detected on July 12, with the external vulnerability and malicious code removed from the service. How much Dash was stolen is currently unclear, but as TNW reported, one user claimed to have had about $17,500 in Dash stolen from an account.

Users are being encouraged to remove their funds from the service. “Out of an abundance of caution, anyone using mydashwallet.org in that timeframe should assume their private keys are known by the hacker and should immediately move any balances out of that wallet,” Michael Seitz, marketing manager for dash.org, wrote on the Dash forum.

MyDashWallet echoed the advice, advising users to move their funds from their original wallets to a new “HD Wallet” that’s safe from the original compromise and stolen private keys.

The fact that the compromise was the result of the use of an external library has drawn attention. Deepak Patel, security evangelist at PerimeterX Inc., told SiliconANGLE that this kind of hack is not exclusive to cryptocurrencies.

“An understanding of digital ecosystems, especially third-party code, is a problem for a plethora of organizations,” Patel explained. “While it is a perfectly normal part of building an online environment to engage third-party code providers and affiliates, it creates a murky world of shadow IT and organizations rendering on an organizations’ website that has not been properly vetted by said organization. This leaves the digital supply chain of the web properties vulnerable to JavaScript hacks such as this, as well as to legislative penalties as a result of GDPR or other similar privacy legislation.”

To stop these hacks, he said, organizations must take a more robust approach to discovering who is operating on their websites and take a hard look their privacy policies, he added.

Image: Marco Verch/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU