MyDashWallet Compromised for Two Months

Reading Time: 2 minutes

MyDashWallet, an online Dash wallet, has been unknowingly compromised for two months, allowing hackers to obtain private keys and empty wallets at will. The compromise was uncovered Friday, with an investigation revealing that it began on May 13, nearly nine weeks prior, leading to Dash announcing that anyone using the service “should assume their private keys are known by the hacker” and should move their funds as soon as possible.

Insecure Coding Practice

MyDashWallet is a third-party online wallet for Dash tokens that is not related to the Dash core project. In a response to those who questioned the core team’s role, Dash Core CMO Fernando Gutierrez stated that MyDashWallet “was not developed nor maintained by the Dash Core Group team. We only got involved after the fact to try help [SIC] everyone affected.” The team also announced that those who used MyDashWallet in conjunction with a hardware wallet were not affected, and that the hack didn’t extend to any other third-party wallets. An explanatory post on the Dash forum from a core team member blamed an “insecure coding practice implemented by MyDashWallet” that went undetected by their team for over a year due to “insufficient review of code by third parties”.

Wallet Safety in the Spotlight Again

The hack once again raises questions over the safety of web-based wallets, where information rests on third-party servers that can be breached. There are many different wallet types around from the likes of Trezor, Ledger, and even Sony, with hardware wallets being the best combination of security and convenience right now. Online wallets are suitable for small amounts that are regularly moved around, but holding large amounts or small amounts for a long time are better suited to safer storage methods like hardware wallets.