What actually happened was a lot of unfortunate users were generating their unique seed (which is what you derive your password from) from a false website, a phishing website. It was meticulously crafted in such a way that it ended up being at the top of a Google search for IOTA seed generator, it was the first thing listed in the ads…So, this malicious actor essentially had people go there, and he/she created a website that looked very legitimate to new users. Therefore, they trusted it, and generated a seed there. That essentially means that they gave away their private key to a thief. It’s equivalent to giving your keys to someone as you go into a store, and then coming back out to find that your car is gone.
Ars Technica - Mon 29-Jan-2018 6:56 AM
Coincheck sincerely apologizes for the inconvenience.
And technical desection of the code in question.
Thatoddmailbox - Mon 29-Jan-2018 6:56 AM