MyEtherWallet, one of the internet’s most popular services for managing cryptocurrencies, suffered a serious security issue for the second time this year after a widely-used VPN service was compromised for five hours.
MyEtherWallet (MEW) is used to access crypto wallets and send and receive tokens to/from other wallets. Today, it warned that users of its service who utilize the Hola, a free VPN which plugs into browsers and claims nearly 50 million users, may have been caught up in a malicious attack to steal crypto. Regulars users of MEW were not impacted by the breach because the MEW service itself wasn’t compromised.
The company said that Hola was compromised for a period of five hours, during which time any Hola users who navigated to MEW and accessed their wallet with the VPN switched on may have been affected. MEW is recommending anyone who used the site and VPN in the last 24 hours to transfer their tokens to a new wallet… assuming that they still have access to them.
The incident is a good reminder of why it is better to pay for a VPN service rather than use a free one. Back in 2015, Hola was accused of performing DDoS attacks “on demand” surreptitiously for paying clients using the computing power of its users so the writing has been on the wall.
MEW pointed TechCrunch to statements on Twitter when asked for comment on the incident. The company said the attack “appeared to be a Russian-based IP address.”
“The safety and security of MEW users is our priority. We’d like to remind our users that we do not hold their personal data, including passwords so they can be assured that the hackers would not get their hands on that information if they have not interacted with the Hola chrome extension in the past day,” MEW added.
We contacted Hola for comment but had not heard back from the company at the time of writing.
It isn’t yet clear how many users were hit, but the situation recalls a similar incident in February when MEW was affected by a DNS attack that saw at least $365,000 of crypto stolen from users.
MEW is one of the most popular wallet services on the internet, but other options include MyCrypto — a service launched by a former MEW co-founder — and Imtoken, which is run by a China-based company that recently raised $10 million from investors.
Note: The author owns a small amount of cryptocurrency. Enough to gain an understanding, not enough to change a life.
We are Google employees and we join Amnesty International in calling on Google to cancel project Dragonfly, Google’s effort to create a censored search engine for the Chinese market that enables state surveillance.
By 2022, the global VPN market is forecast to hit 35.73 billion dollars. That’s nearly two times the amount forecast for this year, according to Orbis Research. However, this study was done in 2016.
These days, you can get an extremely fast, fiber, business Internet connection for a relatively low cost. So, should you ditch your company's expensive MPLS Wide Area Network and replace it with an IPsec VPN over giant fiber Internet circuits at each site?
VPNs can create secure remote-access and site-to-site connections inexpensively, are a stepping stone to software-defined WANs, and are proving useful in IoT.