MyDashWallet was quietly compromised for two months

Dash’s answer to MyEtherWallet has been hacked.

The Dash-focused crypto wallet, MyDashWallet, reportedly succumbed to a data breach two months ago—exposing users’ private keys–but has only just been reported. This means the hacker is able to steal any funds from the wallets of those affected.

In a forum post, Dash’s marketing manager Michael Seitz, said the hacker was able to steal the private keys of anyone who used the wallet between May 13 and July 12. “Anyone using mydashwallet.org in that timeframe should assume their private keys are known by the hacker and should immediately move any balances out of that wallet.”

On the plus side, Seitz claims that anyone who used a hardware wallet to store their funds are unaffected by the hack.

But how was the wallet compromised?

Philipp Engelhorn, communications at Dash, explained that, in April, the wallet was modified to use a piece of code hosted on GreasyFork—a code site. However, the hacker managed to compromise the GreasyFork account of the person who set this feature up. And once in, they changed the code that was connected to the wallet.

With the modified code, the wallet then started sending users’ private keys out of the wallet, into the hacker’s hands. They then built up a collection of keys—before starting to move people’s funds. It is unknown how much Dash has been stolen.

Engelhorn also highlighted that the wallet hadn’t been sufficiently reviewed or audited—saying that doing so would have picked up the problem.

The wallet was originally funded by the Dash DAO—a decentralized funding organization for Dash-related projects. In its pitch deck, the DAO warned uses to not use the service for large amounts, instead reserving it for things like tipping. Hopefully affected users heeded the warning.