Using the Hola VPN chrome extension? Your MEW wallet may have been compromised.

[TryNinja]

Urgent! If you have Hola chrome extension installed and used MEW within the last 24 hrs, please transfer your funds immediately to a brand new account!

We received a report that suggest Hola chrome extension was hacked for approximately 5 hrs and the attack was logging your activity on MEW.

Source: https://twitter.com/myetherwallet/status/1016542459185119232
If you have the Hola VPN extension, which is a free VPN for Chrome, uninstall it right now, create a new MEW wallet and move all your coins away immediately.

P.S: This is not an issue with MEW. It's the same as downloading a virus, risking your wallet and blaming your wallet developer.

[1714834202]

1714834202

[1714834202]

1714834202

[1714834202]

1714834202

[1714834202]

1714834202

[leowonderful]

This is exactly why I don't run Chrome with any extensions at all, especially on computers where I'm storing any amounts of crypto- the risk for a hack or shady application logging my information and a resulting loss of funds is just too great. Still a good job from the MEW team for reporting this issue quickly, as every minute could mean a wallet getting its funds emptied without the owner's permission.

I don't trust free VPN services for this reason as well. I'd much rather pay money for a VPN, or better yet make a Socks5 proxy by hand than save money at a cost like this.

[OmegaStarScream]

So basically this is valid for MyCrypto too. Is it possible for an extension to reach for another extension as well? If that's the case, MetaMask could be at risk too.

[St4yInTh3D4rk]

Is there any problem if I have hola VPN on someohter browser and never accessed my MEW from that browser?

But I always access my MEW from chrome where I have no extension installed.

[TryNinja]

Is there any problem if I have hola VPN on someohter browser and never accessed my MEW from that browser?

No. An extension on Chrome can't read/modify data on your Firefox browser.

But I always access my MEW from chrome where I have no extension installed.

Then you are safe.

[crairezx20]

How the VPN works and how they can get your private keys or json key?

It looks like a keylogger or downloading all copy paste logs. for now I'm using metamask wallet because I don't like MEW to use for daily transaction because you need to copy paste your private key when accessing your wallet.

[jhenfelipe]

So far no comments in the twitter post about funds being stolen from their account. Hopefully MEW users aren't using Hola VPN while accessing their wallets.

So basically this is valid for MyCrypto too. Is it possible for an extension to reach for another extension as well? If that's the case, MetaMask could be at risk too.

@MyCrypto posted about this issue as well and made it clear that MyCrypto users are not affected. Based on the post, it seems that it's only for MEW, so I think MetaMask users are not affected too.

[milewilda]

So far no comments in the twitter post about funds being stolen from their account. Hopefully MEW users aren't using Hola VPN while accessing their wallets.

Ive been waiting for comments too actually but we should wait a little further even though Hola VPN isnt too popular but rest assured there are still people who do make use of it and wasnt aware on the recent vulnerability of it.

How the VPN works and how they can get your private keys or json key?

It looks like a keylogger or downloading all copy paste logs. for now I'm using metamask wallet because I don't like MEW to use for daily transaction because you need to copy paste your private key when accessing your wallet.

This is the reason why i do switch to metamask it is somehow techy compared to MEW but when it comes to security or possible risk you can lessen it up when using metamask.This is why i dont like to install any extensions on my chrome. Even on my first time with metamask i do still hesitate to do such thing.

[mobnepal]

I always used to remain cautious about installing any extension on my browser even though all of them are listed by google after security check. Now this news make my caution worthy because this proves that even though google will have security check before listing the extension on their store hacker can push malicious code without getting noticed by google.

The only extension I have is metamask which I rarely use.. Hope not much ETH holder will be affected by this as HOLA is not quite popular VPN,  I haven't heard about it before.

[LTU_btc]

Thanks for the warning. I'm using Hola extension quite often. But it's good that I'm using MEW on Firefox, while Hola on Opera, so my funds are safe.

Hope not much ETH holder will be affected by this as HOLA is not quite popular VPN,  I haven't heard about it before.

Hola is probably most popular free VPN extension. It doesn't mean that's not popular just becauce you haven't heard about it.

[electronicash]

never trust browser extension and app.

you don't need to use the private key in MEw if you use the Keystore File to login to your account. but yes the password along with that keystore file.
the best way to use MEW is by downloading the newest release from here https://github.com/kvhnuke/etherwallet/releases


unzip it
and then you can use it offline without worrying of hacks. drag the index.html to a browser to view the page.
click send token  then
you can click json file if you have json file and upload or Click private key  and copy and paste your private keys whichever is comfortable for you
click unlock wallet.

[Lanatsa]

never trust browser extension and app.

you don't need to use the private key in MEw if you use the Keystore File to login to your account. but yes the password along with that keystore file.
the best way to use MEW is by downloading the newest release from here https://github.com/kvhnuke/etherwallet/releases


unzip it
and then you can use it offline without worrying of hacks. drag the index.html to a browser to view the page.
click send token  then
you can click json file if you have json file and upload or Click private key  and copy and paste your private keys whichever is comfortable for you
click unlock wallet.

Airgapped is good but not all people would put up themselves into hassle or just simply not all people do have idea into this kind of method since they are not techy at all.
If we do possess huge amounts of crypto then this kind of accessing the wallet thru offline is safer than on inputting your private key while you are connected to the net.
Luckily, im not using any browser extension on my chrome since i dont really need vpn service at all.