MyDashWallet, a popular wallet service for users of the Dash cryptocurrency, was compromised and user funds stolen for a period of two months.

Dash, currently the 15th most popular cryptocurrency by market capitalization, operates as a decentralized autonomous organization run by a subset of users. A fork from the bitcoin protocol, the cryptocurrency has found a willing audience — hence its appeal to hackers looking to profit from its theft.

The attack involved a hacker or hackers exploiting a vulnerability in an external library used by MyDashWallet to gain access to the service on May 13. Over the following two months, those behind the hack exploited the vulnerability to insert malicious code that automatically sent the private keys of MyDashWallet users to an external server.

The exploit was detected on July 12, with the external vulnerability and malicious code removed from the service. How much Dash was stolen is currently unclear, but as TNW reported, one user claimed to have had about $17,500 in Dash stolen from an account.

Users are being encouraged to remove their funds from the service. “Out of an abundance of caution, anyone using mydashwallet.org in that timeframe should assume their private keys are known by the hacker and should immediately move any balances out of that wallet,” Michael Seitz, marketing manager for dash.org, wrote on the Dash forum.

MyDashWallet echoed the advice, advising users to move their funds from their original wallets to a new “HD Wallet” that’s safe from the original compromise and stolen private keys.

The fact that the compromise was the result of the use of an external library has drawn attention. Deepak Patel, security evangelist at PerimeterX Inc., told SiliconANGLE that this kind of hack is not exclusive to cryptocurrencies.

“An understanding of digital ecosystems, especially third-party code, is a problem for a plethora of organizations,” Patel explained. “While it is a perfectly normal part of building an online environment to engage third-party code providers and affiliates, it creates a murky world of shadow IT and organizations rendering on an organizations’ website that has not been properly vetted by said organization. This leaves the digital supply chain of the web properties vulnerable to JavaScript hacks such as this, as well as to legislative penalties as a result of GDPR or other similar privacy legislation.”

To stop these hacks, he said, organizations must take a more robust approach to discovering who is operating on their websites and take a hard look their privacy policies, he added.

Image: Marco Verch/Flickr