MyEtherWallet, one of the internet’s most popular services for managing cryptocurrencies, suffered a serious security breach for the second time this year after a widely-used VPN service was compromised for five hours.
MyEtherWallet (MEW) is used to access crypto wallets and send and receive tokens to/from other wallets. Today, it warned that users of its service who utilize the Hola, a free VPN which plugs into browsers and claims nearly 50 million users, may have been caught up in a malicious attack to steal crypto. Regulars users of MEW were not impacted by the breach.
The company said that Hola was compromised for a period of five hours, during which time any Hola users who navigated to MEW and accessed their wallet with the VPN switched on may have been affected. MEW is recommending anyone who used the site and VPN in the last 24 hours to transfer their tokens to a new wallet… assuming that they still have access to them.
The incident is a good reminder of why it is better to pay for a VPN service rather than use a free one. Back in 2015, Hola was accused of performing DDoS attacks “on demand” surreptitiously for paying clients using the computing power of its users so the writing has been on the wall.
MEW pointed TechCrunch to statements on Twitter when asked for comment on the incident. The company said the attack “appeared to be a Russian-based IP address.”
“The safety and security of MEW users is our priority. We’d like to remind our users that we do not hold their personal data, including passwords so they can be assured that the hackers would not get their hands on that information if they have not interacted with the Hola chrome extension in the past day,” MEW added.
We contacted Hola for comment but had not heard back from the company at the time of writing.
It isn’t yet clear how many users were hit, but the situation recalls a similar incident in February when MEW was affected by a DNS attack that saw at least $365,000 of crypto stolen from users.
MEW is one of the most popular wallet services on the internet, but other options include MyCrypto — a service launched by a former MEW co-founder — and Imtoken, which is run by a China-based company that recently raised $10 million from investors.
Note: The author owns a small amount of cryptocurrency. Enough to gain an understanding, not enough to change a life.