ThunderHub login password cause node to be compromised

Hi Guys,

I have not sure how my node is compromise. I see a transaction that send out my SAT to someone wallet both on-chain and LN.

So, I decided to take down my current node and do full reset and create new seed.
But I want to look back what is going on and how it compromises.

One thing that I can think off is the ThunderHub is still under default password “moneyprintergobrrr” and I do port forwarding the port 3000 to via dynamic DNS service.

I trying to find the way to change the password of the ThunderHub but cannot find how to change it.

Can anyone help?

You have to do it over ssh:

https://lightning.codes/post/2021/06/18/setting-the-password-for-thunderhub-on-umbrel-eng/

See also this thread: Changing passwords

But it seems pretty crazy to direct traffic straight to your Umbrel when you can use a Tor browser to do it securely.

  1. Did you ever read the Guides section of this forum?
    In there is a troubleshooting guide with a specific point how to change that password. But I strongly recommend NOT to do it, if you do not know what are you doing.

  2. Your node was compromised, not because TH has hardcoded password, but because you were sloppy not keeping it safe, I mean your TH onion address.
    Posting your onion address of that TH in public site, you expose yourself.
    Each Umbrel has its own onion address FOR A REASON.

I did not know that I post my TH onion address elsewhere in the public site.
I still cannot figure out how I get compromise. Let me know if you can think of.

I have change my password of the TH now but to be safe I will just wipe everything and starting my new node instead.

wiping the node and start over will not serve to anything, if you will compromise it again.
Maybe your devices from where you access it are compromised and NOT the node itself.
If you have a malware that keylog all you type, you are doomed, whatever you do, no matter how many times you re-install Umbrel.

I wouldn’t say he was sloppy, I would say it’s a bad idea for TH to not have an easy way to change the password and by accidentally releasing the TH’s tor address shouldn’t mean that your node is now compromised.

The easiest way for someone to accidentally release the tor address into the wild is to paste it into the address bar of a non-tor browser by accident then the search engine has it and anyone with your search history has it. Probably countless other people have it too.

I would recommend changing it through SSH