After releasing an update for their compromised Trinity wallet, the IOTA Foundation is directing users to change their passwords. More steps will soon be announced to ensure funds are secure.
MANY IOTA ACCOUNTS MAY BE COMPROMISED
Last week the Iota Foundation stopped its network, the Tangle, after hackers stole funds from at least ten high-value accounts. The foundation soon tracked the vulnerability to the desktop version of Trinity.
The foundation states:
Trinity users – If you opened #Trinity between Dec 17th 2019 – Feb 18th 01.30 CET 2020, you will need to use the seed migration tool to protect your tokens. Further details about the tool and migration period soon. All updates at https://t.co/3blzUVGJTE or https://t.co/vbg93hQBiG
— IOTA (@iota) February 20, 2020
The foundation is confident that only users that opened desktop Trinity during the specific date range are at risk. Nevertheless, it has also released an update for the mobile wallet, and is calling on those users to change their passwords out of an “abundance of caution.”
Ledger Nano users do not need to use the migration tool, but it is strongly recommended that you change your password.
— IOTA (@iota) February 20, 2020
The password change is only the first step in resolving this issue. Users will also need to acquire new seeds, which are the 81 character keys that hold Iota tokens on the Tangle. The foundation promises soon to release a seed migration tool to enable this process. The network will not be restarted until after the tool has been made available.
FULL REPORT PROMISED
The IOTA Foundation promises a full report on this hack. The vulnerability appears to be connected to MoonPay, a service recently integrated into Trinity that enables users to purchase IOTA directly from within the wallet. The MoonPay feature does not appear in the patched version.
Regardless of the cause, this is a serious breach of the IOTA platform. Although it appears that the hackers did not compromise the core protocol, they may have acquired a large number of seeds. Thus, users that do not use the migration tool will remain vulnerable.
IOTA holders that have lost funds are encouraged to contact the foundation through its Discord channel. The foundation has stated that it is working on a remediation plan for the theft victims. It is unclear, however, if this plan will involve direct compensation or a chain reorganization. The foundation is also working with law enforcement to help locate the perpetrators.
This event is one of many incidents of theft that have become common in the crypto space. It is proof positive that blockchain technology remains a work in progress, and that even very secure platforms can be made vulnerable. Before this incident, Trinity had been independently audited and was widely considered extremely safe to use.
What do you make of IOTA’s recent wallet hack? Add your thoughts below!
Images via Shutterstock, Twitter @iotatoken