IOTA wallets looted by hackers controlling online seed generators

Hackers managed to control one of the top online seed generators for some time, which enabled them to phish the seeds created by thousands of IOTA users. Later on, they used these seeds to move users' funds, following a widespread DDoS attack on IOTA's fullnodes.
Two days ago, hackers hit the IOTA community with a nasty attack. Dozens of IOTA wallets were looted by hackers, who briefly controlled one of the sites used by IOTA holders to generate seeds (iotaseeds.io), tricking users into freely offering up access to their wallets. The damages totaled at least $4 million in what seemed to be an easily avoidable situation.

Seed generators cripple IOTA wallets:


The root of the problem lies with online seed generators. A seed, according to IOTA, is the combination of a username and password that grants access to a user's funds. When creating an IOTA wallet, users provide an 81 character "seed" consisting of A-Z letters and the number 9.

To help users in the onboarding process, websites provide online seed generators that quickly create a unique, random seed for new IOTA wallets. Other options include using the onboard tools that are available for Mac and Linux operating systems. These aren't particularly user-friendly, leading many to rely on online seed generators.

Hackers used a DDoS attack against IOTA's nodes:


The IOTA wallet hackers deployed a devastating DDoS attack against popular IOTA fullnodes. Victims of the heist were completely unable to recover any of their funds. In a blog post by IOTA Evangelist Network member, Ralf Rottman, he stated that the attackers apparently "knew the users' seeds" rendering the heist extremely easy. Rottman also commented, "The community of fullnode operators is discussing various strategies to better protect public community nodes from this specific and similar DDoS attacks in the future."

Since the attack, the online seed generator (iotaseed.io) that leaked users' seeds has been taken down. The IOTA community has also encouraged users to change elements of their auto-generated seeds to prevent potential hacks. The IOTA team has reminded users that the attack wasn't the fault of the IOTA infrastructure itself, instead, it was a result of the insecurity of online seed generators.

This setback hasn't caused a selloff, though the development team will be eager to find a solution going forward.