MyEtherWallet (MEW) hack - Causes / Consequences / Lessons learned
Hi guys,
With regulars hacks and scams, crypto-enthusiasts must learn how to protect their capital. Where robbery losses in the traditional banking system are usually covered by insurances, us crypto people must learn to protect ourselves in the crazy crypto wild west. Reason why I think it is important that we review what happened to MEW, learn from it and raise our awareness to security in crypto.
Causes:
On april 24th, around 12pm UTC, a Domain Name System (DNS) provider got hijacked (apparently Amazon). The DNS is like a phonebook: when you enter an address such as www.myetherwallet.com, your DNS provider checks his records and direct you to the corresponding IP address. A hacker managed to change the DNS settings so that people got routed to the IP address of a fake MEW website.
MEW itself was therefore not directly hacked, however when people affected by the DNS hack tried to view the page, they ended up on a fake MEW website. It seems that these people received a "Security Certificate Error" warning from their browsers but they clicked on "ignore", thinking this was some bug.
Consequence
According to the information available on Etherscan, the thief conducted 180 transactions during the hack, stealing 215 ETH ($135,000) in the process.
The public address of the thief can be viewed here : https://etherscan.io/address/0x1d50588C0aa11959A5c28831ce3DC5F1D3120d29
-If you did not use MEW during the attack your funds are safe. The reason being that your funds are not stored on your MEW wallet. The wallet is just an interface.
-if you used MEW during the attack with a hardware wallet such as a Ledger Nano S: Your private key is safe, it is never uploaded on your computer and/or on the internet. Transactions are signed on the device itself. The only way you might have been affected is if you tried sending money out, in which case the hacker might have changed the receiving address for his.
-if you logged in MEW during the attack using your private key or JSON file then you private key is likely compromised and the thief has full access to your funds. If your fund are still in your wallet, you need to move them asap to a new and safe public address. If the hacker now has your private key, he might still be able to steal your funds, even though the DNS attack is over.
Lessons Learned
-If you just want to check your balance and you don't need to send funds, always use Etherscan rather than a wallet. It does not require you to log in to view your balance.
-Put the URL of your wallet in your favorites so that you don’t click on some phishing link somewhere. Always check that you are on a secured website (https://). Your browser usually shows secured website either in green, or with a checkmark, meaning its security certificate in good order.
-Don't ignore security certificates error warnings on websites that require information to log in
-The funds are never stored in a wallet, they are on the blockchain. The wallet is just an interface that allows you to view your balance and input "send transactions" in the network.
Is it now safe to use MEW ?
It seems that yes according to their Twitter. Please however remain cautious and apply above-mentioned good behavior measures.
You can also read the following guidelines from MEW: https://myetherwallet.github.io/knowledge-base/security/myetherwallet-protips-how-not-to-get-scammed-during-ico.html
I give credit to Boxming for having made a very informative video in the subject:
Congratulations @kidkroco! You received a personal award!
Click here to view your Board
Do not miss the last post from @steemitboard:
Vote for @Steemitboard as a witness and get one more award and increased upvotes!