Wrong seeding sites cost IOTA users millions.A�The error is not really in IOTA itself, but in a questionable implementation of the Wallet.A�Nevertheless, it should be annoying for many.

Actually everything is running smoothly at IOTA.A�The new version of the client has significantly reduced the high resource consumption and is more resistant to DoS attacks and spam attacks, while the IOTA Foundation isA�constantlyA�reportingA�newA�membersA�.A�An article in Der SpiegelA�, announcing that VW’s Chief Digital Officer (CDO) Johann Jungwirth will soon join the foundation as a member of the supervisory board, provides for further anticipation.

Unfortunately, some bad news in this positive environment.A�And indeed, many users report that they have lost their IOTA tokens.A�Someone seems to have succeeded in stealing them directly from the wallet.A�According to aA�report,A�tokens worth around $ 4 million have been lost.

Ralf Rottmann explainsA�on his blogA�how this could happen.A�It started with users creating a new IOTA wallet.A�Anyone who has tried this before knows that you open the IOTA wallet by entering a seed.A�The seed is an 81-character string consisting of capital letters and a 9.A�Conceiving such a sequence is cumbersome, and whoever takes real words or a sentence runs the risk of having an insecure seed.A�So many users asked Google how to get a seed and ended up on several websites that made the seeds for them.

There are some things you should never do in the crypt world.A�NO WAY.A�One is to make a seed online and to trust that it is safe.A�You can make the seed for IOTA with the commandline, you can dice it and more.A�A website givesA�tips onA�this.A�If you are already building it using a website, you should make the page offline, run it offline, and then empty the cache before plugging in the network cable again.

The result of all this was as expected that users have lost money.A�Someone put the seeds in wallets, and when he found IOTA tokens on them, he cleared out the wallets.A�At the same time the hackers drove a DoS attack on the well-known public nodes.A�This allowed them to prevent users from saving their credit.A�There were hours when you could not find a single public node to send transactions with your Light Wallet.

Although Rottmann explains that the attackers did not exploit IOTA-specific weakness, and that this is super important.A�This is true – but it is without a hint of doubt the fault of the Wallet developers, that it has come to that.A�Who makes it a condition to open a wallet that the user provides the entropy?A�BitcoinA�stopped recommending Brainwalletsyears agoA�.A�The 81-digit seed the IOTA wallet demands combines the two worst features that a password-like mechanism can have: it’s insanely awkward and hard to remember – but also unsafe.

The correct way would have been that the Wallet collects entropy on the running computer that Seed created itself and allows the user to secure it with a password.A�That would have been both more convenient and safer and has long been standard on all wallets.A�Why the IOTA developers did not do that is a mystery.