Attackers gained access to MyDashWallet between May 13, 2019, and July 12, 2019, and stole the private keys.
The big picture
MyDashWallet disclosed that its external site serving CryptoJS scripts was compromised on May 13, 2019. The online wallet warned its users to move their funds to a new HD Wallet.
“To be safe please MOVE your funds to a new HD Wallet (create new wallet in new browser tab or with any other wallet, copy target address, move all funds from your old wallet to the new wallet),” MyDashWallet said.
Michael Seitz, Marketing Manager at Dash said in a forum that a hacker gained access into the system between May 13 and July 12 and obtained the private keys to any wallet during that period. Anyone who used mydashwallet.org between May 13 and July 12, 2019, should have had their private keys compromised.
However, users who used MyDashWallet in conjunction with a hardware wallet or with associated tipbots are not affected. Dash Core Group is assisting the online wallet in resolving the incident and notifying law enforcement.
“The hack itself was only active for two months before being detected. The insecure coding practice implemented by MyDashWallet went undetected for over a year due to insufficient review of code by third parties. In the future, all code handling private keys should be reviewed thoroughly before being trusted with user funds. In particular, the use of local keystore files should be discouraged in favour of hardware wallets, similar to best practices implemented by MyEtherWallet,” Tungfa said.