These have been the most thrilling 48 hours in my SteemIt career. I’m still shaking... My account got hacked, I was locked out, while the hackers took my SBD, undid all my delegations and started powering down. It was a terrifying race against the clock to see if I could regain access to my account, and all my funds, before they managed to steal it all.
A Little Background Information
As you may or may not know, I started my SteemIt adventure with the username @mike314-005. Right, I don’t know what I was thinking signing up with that name. ;0)
By the time I had reached a reputation score of 51 and got around 500 followers, I decided I needed a different username if I wanted to get somewhere on this platform.
So I used Blocktrades to create a brand new account with the username @simplymike.
I didn’t close the old account, but decided to delegate all my SP to the new account. With that delegation, an extra investment and a lot of blood, sweat and tears, I managed to grow the @simplymike account to reach a reputation score of 53 in only 45 days.
I was pretty proud of this achievement, to be honest.
The day before yesterday, disaster struck...
I received a comment on one of my posts, in which was mentioned I received a GrumpyCat flag for using ‘the wrong bots’. I had seen these things around before, so I didn’t think much of it.
Please note that the @grumpycat account had nothing to do with the hack. The hackers simply imitated the comment, knowing people wouldn't be very suspicious because they had seen it before.
Since I had not paid for any bot, I replied to the comment, telling the posters they should reprogram their bot, because it was wrong.
I thought it would probably be a good idea to leave a comment on one of the poster’s articles instead of the flag-comment, so I clicked the ‘Learn More’ link.
SteemIt had been acting up these last couple of days, so I wasn’t really surprised when I was asked to log in after clicking the link. I did, and was redirected to a post by @grumpycat. Nothing weird about that...
They Tricked Me
I didn’t realize something was wrong until I tried to post a comment to the article. The system told me I had no permission to post.
Strange, but since SteemIt can be unpredictable sometimes, I still didn’t worry. I tried my phone... wouldn’t work. I tried my tablet... nope. When I tried to log in to Busy.org and that wouldn’t work either, I realized something was terribly wrong...
On top of that, I started to receive notifications through my Steemify app which indicated that my account was posting ‘GrumpyCat flag-comments’ on other accounts.
This was bad... really bad...
I Ran Home
I didn’t really know where to go, so I stopped by the Steemcleaners channel on Discord to notify them,and then to the one place I could think of: the #newbieresteemday Discord channel, which I, surprisingly or not, considered as ‘home’.
I was very fortunate I bumped into a couple of bulldogs there, you know, the kind of people who bite something and won’t let go until they’ve done everything they could to solve it... @deliberator, @penderis, @wilfredn, @bashadow, ... thanks for your help and support, I owe you!
Suddenly, I saw my reputation score get back to -1. I was freaking out: I had worked so hard for that rep of 53...
Because the hackers were using my account to send out phishing comments, @guiltyparties had nuked it by flagging all those comments, just to make sure the comments would be hidden and the phising attack wouldn’t make more victims.
It was just a precaution measure...
Meanwhile, the hackers had started to power down my account.
If it wasn’t for the SteemIt rule that a power down takes 7 days to be executed, I would have lost a lot of money in this.
Now, all the hackers got away with was a little over 14SBD, which is peanuts considering what it could have been.
It took a little less than 24 hours to regain control over my account, so this story has a happy ending.
It’s a bit unfortunate that it took such a dramatic event to learn some very important things.
I’ll be discussing everything I learned during this attack in my next couple of posts, but there is one thing I already want to share with you:
NEVER, EVER use your ‘Master Password’ for daily logins!!
Like @rycharde from the M-A-P channel stated:
The Password is your "ultra secret never to be revealed master key to the steem universe"
I did read the FAQ, but I managed to miss that part, and I’m pretty sure a lot of you have too.
Save your master password and keep it somewhere safe.
Only log into your account using the key with the appropriate permissions for what you are doing:
- Posting key for every day logins
- Active key when necessary for transfers, power ups, etc.
- Master password or owner key when changing the password
Again, save your master password and keep it safe! If logging in with your post key, make sure you don't overwrite or misplace your original master password.
I’ll be writing a more detailed guide soon, but I thought this was too important to leave out at this point.
If I had used my private posting key to log in, the hackers would only have been able to post the phising comments, but my money would have been save.
A Word Of Thanks
So, this story has a happy ending, but that was only thanks to the help of a lot of other people.
So, I’d like to put a couple of those in the spotlight below.
Thanks for jumping on and helping out, guys (and gals ;0) ). I couldn’t have done this without you!
Loads of thanks to
@drakos over at the help channel on SteemIt Chat for taking the time to reply and to tell the guys over at Blocktrades they needed to act! If it weren’t for you, @drakos, I would still be sending emails to them telling them they should be providing a way to recover my account.
Dan from @Blocktrades, for stepping up and initiating the recovery process.
@anupbose and @kobusu, for using their resteem service to get out the word about the phishing attack, by resteeming a message I created on my old account, even though I didn’t have any money in that account to pay them with.
And everyone else who supported me to get through this. There were moments I lost hope and wanted to quit and forget about SteemIt alltogether, but thanks to everyone who chipped in (like @mudcat36, who resteemed all my visible post to help me get back on my feet), I got through.
This was another example of how strong the SteemIt community really is, and a reminder why I love it so much.
This event allowed me to meet new community members, as well as get to know some members better. Together with the lessons I learned this has been a valuable experience, which fortunately turned out fine!
More Posts You Might Like
Grumpycat screenshot taken from one of @grumpycat's comments