Utopian-io hacked / Keys are 'safe' / I've changed mine anyway / Small voting break

in steem •  last year

Hi all!

Those following my blog know I don't need further reasons to race to the toilet at present, but that almost happened this afternoon when I saw my steemworld.org screen light up with 4, 100% upvotes to accounts I did not recognize. Shiiii...........


keys-525732_1920.jpg
pixabay source

First thing's first - Start sweating and go find my master key!

Thinking I'd been targeted, I changed my keys for this account and my alt. account as checking the voting there i saw the same was happening. This actually made me feel worse for a second, and then better as I realised that some smart-arse was doing this en mass, and that I might not be the sole target after all.

On checking the posts that my votes had been cast on, I saw a number of other voters who would likely not be there too. Ok. Phew. Not just me then!

After I'd changed my keys, I visited steem.chat and pinged a few knowledgeable types on discord to try and find out more information. The individual apps relating to steemconnect were being mentioned as the source of the 'hack', and so I started to revoke permissions to these apps I'd registered here: https://v2.steemconnect.com/dashboard

steemconnect were also being mentioned as the possible source, and it was then I was invited over to listen to an emergency meeting on the @utopian-io discord chat, where I saw the following:

I managed to catch 5-10 minutes of @elear explaining the situation, and it sounds like a major trust was broken within @utopian-io for this event to happen. The steemconnect token (stored locally by @utopian-io) was taken by the hackers to act on the users' behalf, issuing votes programmatically.

Always be extra nice to your DBAs

Having worked in the IT industry for almost 20 years, in and around Database administration, it is just a fact that your Database Administrators have access to information that as a business owner, you'd rather not let them have, but you have no real choice. You just have to trust them.

I've signed pages and pages of documents in the past, stating that I will not be abusing or misusing any of the information that would be available to me. And although the small-print escapes me right now... I would have likely been prosecuted if I had done so.

Unfortunately, @utopian-io does not have decades of experience, laws, and legislation in place right now, and while this has perhaps been a positive in allowing rapid development of the business, it has to be seen as a negative today. I feel sorry for @elear and his trusted team members, and I really hope @utopian-io can bounce back from this.


On to the votes I didn't cast.....

Well 'I' did give a couple of down-votes, but hey, the reward pool probably needs a little hand now and again so lets skip those and go to the upvotes :)

After reviewing these posts for quality, and seeing that they have all been bot-boosted, I decided to remove my vote from all.

Beautiful maybe, but $200+ for a flower is a bit excessive to me.


Today I learned that I can quickly reset my keys and copy them to multiple offline locations, this was a good 'under pressure' exercise without that much harm done.

It is my understanding that @utopian-io will continue to accept contributions via other condensers, in the next 12/24 hours.

Stay safe everyone, and have a good weekend!

Asher @abh12345

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Hello guys. I'm a representative of @utopian-io. We apologize for the leak and are working on tracking down the hacker & fixing possible holes. I'd also like to confirm that your keys are completely safe.

We want it to be clear that but we are not, in any way, associated to the hacker that used these tokens for malicious intents. Please join us on the discord channel if you want to know more about the issue. An official announcement is coming.

·

Hi @jestemkioskiem

Thanks for the clarification message. My post should not be taken as an attack on @utopian-io in any way, I've long been a support and contributor to the project and hope that the project will bounce back from this setback.

Thanks again.

·
·

Not at all! We appreciate the shared message! I'm just here to make sure it's clearly understood <3!

Thank to @steemchiller for the information provided trough Steemworld. and good think is you checked it frequently what happen about your blog. hope this won't happen again in the future @abh12345. regards

Well at least it was caught and dealt with somewhat quickly. That is one nice things here we don’t have to wait around 6 months to find out about these short of things. Have a great weekend as well!

·

Yes indeed. The chat rooms were buzzing, and the meeting held by @elear was full of interested parties.

Clearly this doesn't look good for them today, but I think they can come back better (and more secure) in future. Cheers!

Thanks, whomever...

...The Boondock Saint of STEEM lmao

·

I knew there was a much better title for this post! haha :D :D

Screen Shot 2018-05-04 at 20.52.46.png

Ahah, I've been staring at the monitor with an angry face about 5-6 hours and this one made me laugh hard.

·

Well that's good, i think! Wait....... are you laughing at me? fk it, I don't care, laughing is good! :D

I woke up to see this fire had flared up and been put out. I'm not affected, but it's shitty that many people were. I've always done manual curation, and this gives me another reason to stick to that. I know for many people voting trails are important and auto-votes as well, but I'm gonna keep it simple, myself. Have a wonderful weekend. Hope you're feeling better!

·

Yeah it was really worrying for a few minutes!

A good exercise though in the end, just a shame for utopian. I'm feeling much better thank you, and enjoying my weekend - I hope you are too :D

I was having dinner outside when I saw an everyone notification in a group that never uses that and when I checked and saw the need to revoke Steemconnect access because of possible breach I felt my balls rise up to my throat hahaha

It was not a pleasant feeling at all hahahha and I never knew I could act so quick and using a mobile and painstakingly writing the new keys hahahhaa

·

I would have had no chance on my mobile, a great effort for being able to get it sorted on the move!

Yesterday was a crazy day because of this, we got a lot of reports about it, starting with @runicar who was the first to contact me directly. There's no way to guarantee security. Can do whatever it takes to secure something but it's never 100%. Devs leave back doors, hackers have mad skills, servers have admins, etc.

Have to say Utopian handled it pretty well and were responsive on Discord. Communication is a big part of the game. We've got a lot of security issues, phishing mostly, going on right now. The user base is more aware which in itself was a big mitigation by the looks of it.

·

Devs leave back doors, hackers have mad skills, servers have admins, etc.

Absolutely, and I'm not 100% we've seen the end of this due to the above.

Utopian have handled it pretty well, it's a huge hit for them as the hacker/s wiped servers and destroyed backups. As I mentioned, there has to be trust in at least one other person and normally more in business - a solid employee turned major rogue is I guess one of the biggest risks (with low possibility) on the matrix.

Phishing has seemed to increase, pretty low-life imo and it is a case of user education as you say that can help keep damage at a minimum.

Cheers.

I panicked too when I saw it all over Discord @abh12345. But then I took a deep breath and checked my votes. I couldn't see anything untoward. Phew!

Will change my keys anyway I think. As you say, it's good to know how to do it quickly.

Glad to hear it wasn't too bad for you.

Are you fully recovered now?

·

I think you will be ok unless you've signed into utopian-io, but it's a good exercise to update them from time to time :)

I am feeling better, but the toilet issue is far from solved! Thanks for asking!

·
·

Oh dear. Sorry to hear that!

I haven't signed into utopian-io so I should be OK then. That's good to hear. 😁

I watched those flowers grow.. :))
More and more Upvotes.
Most fun:
100% from jerrybanfield:))

·

Jerry is going to be pissed as the person did not even pay for it hahahaha I think he will be pleasantly surprised on his pay out hahhahaha

·
·

Jerry will get some nice curation rewards if he chooses to leave his votes there. I wonder what he will do....

·

BOOM!

Do yo think he will leave the votes?

·
·

Make your bets!
I really don't know

·
·
·

I think he will 'forget' and collect :)

It doesn't look like my account was affected, but if be reversing any unauthorised votes of it had. Apparently our keys should be safe, so I'm trusting the team on that. It is scary what someone else could do with them

·

You would have need to have connected to utopian-io via steemconnect to be at risk. It's this token that was used and not an account key, apparently.

I've removed all auths from my accounts until further notice! Cheers.

Hi,

Thank you for this useful information, I think I will follow your advice " reset my keys and copy them to multiple offline locations"

Cheers.

·

That's no problem.

I do think a keys reset is a good thing to do now and again. And it's definitely best to always keep at least 2 copies of the master password offline - just remember to update these locations when you change again :)

I did the same thing, hopefully, we are safe now.

So????? Do you have to read the fine print all the time? I think I'm a little scared.

·

Naa, just sign away and be good :D hehe

(Yes)

Thank you for posting this. This is exactly why I can't bring myself to give my passwords to third party services. Reminds me of the bot hack on Binance not that long ago. Sorry they burnt your votes, but htankful it wasn't more serious than it was.

·

Yeah, I understand. The max damage is to the rewards pool really, unless all + votes are recouped, then it's a good day for the pool.

Steemconnect is still OK, not as secure as Steemit.com, but if the 3rd party apps have rogue employees, then things like this will happen.

cheers

Thanks for the article.

Two upvotes were made on my behalf. Luckily the keys were safe, but still, it is scary as hell.​

·

Yeah I was sweating this afternoon!

Hopefully there are no further ramifications...

My morning started out like this too... I also unvoted everyone ... I have a thesis here, I have a thesis.... ** Me Thinkings**

Just removed my vote from those flowers..

·

yeah, I don't blame people for doing that but as with curie recently, I'm giving them 1 more chance.

·
·

Did anything happen with curie as well?

thanks for bringing clarity to the situation. wish i would've read this before going into steemconnect and disconnecting dlive and a few others, but oh well! hope you feel better soon :)

·

I think it's the best thing to do at present - I'm not connected to anything, and will probably only do so when I want to use them - before disconnecting again!

Thanks, still not right down 'there' but feel a bit better nonetheless! :)

they downvoted haejin with my account.

·

Yeah, and up-voted some low grade stuff!

your profile background and avatar is ace!

·
·

Damn, didn't notice that. Now I see that my vp is trashed. What about are keys in this situation? Were they compromised?

As for the background thanks man, I made it myself when I first got into illustration and you can get your own emoji at bitmoji

·
·
·

Keys are supposed to be 100% safe.

I've used that steemconnect link in the post near the top to check who i'm authed with - and I've removed them all for now.

Cheers

Is it just me, or are these hack/attacks happening more frequently? This one sounds like an upset insider, but we've had the spam attack in recent days and something before it. You had to chase all over initially to find out what it was, and ended offsite to get the right information. I'm afraid that doesn't sit well with me. We need some kind of a Steemitwide alert or warning system, especially for these kinds of things.

I'm glad no wallets were compromised and that you were able to rapidly undo the damage, but sheesh.

We need the cyber equivalent of nuclear proof underground bunkers and some means of retaliation to take the hackers out. Wouldn't have been too helpful in this instance, though. That's scary.

·

Seems there is a lot more phishing attacks going on, this one was a bit more direct - and perhaps less avoidable.

As long as your master key is offline, in a couple of locations, your account (minus the free float) can be recovered. It's not perfect, but better than a house/car/bank I think!

I think there is a recovery team, or a least people who can help, but yeah, no master, no go.

How did these particular steemians receive upvotes? Are they associated with the 'hacker'? @ironshield

·

It is an interesting question as to why these accounts were selected and I think there is more to come on that...

this is so bad, it scares the hell out of me man 😑 I want my steem to be in safe hands, steemit community should increase the security level of the platform like as in Facebook or any other platform

·

If you have your master password, offline and no-where else. Your account is most certainly more secure than Facebook :)

I am a computer guy and i have worked as network administrator for a couple of people and they were really wonderful set of people. Amazing

Looks like you have the keys to all the steem in the world.

@abh12345 Thanks StevenWorld Good thought you check it often about what your blog is all about. I hope you will not be there again in the future.

reateem

I shared a lot of important information with all of us. You talked a lot about security. 11 million won by millions. Of course you have made a blog more beautiful. You love me very much. I always follow you and try to follow you. I am with you. Thank you very much for your important post

·

OKKKKKKKKKKKKKKKKKKKKKKKKKKK

Loading...

thank you for sharing @abh12345, and this is very useful news

Thanks for sharing this post.... best of luck

Not something you needed on top of everything else. Hope you are feeling much better.

excellent post ..loving to your blog.thanks for sharing..

finally revoked the access to many sites hackers can do anything thanks for the update better to be on the safe side :)

just read the official post from the utopian they said nothing compromised but i did the same thing as you changed the password :)

it's so important for all

never used that but its a big security risk exposed

Hi LOVE YOUR POST MAN!!! LIKE MY POST TOO!!!!! HERE IS THE LINK: https://steemit.com/bots/@abusereports/last-minute-upvote-list-2018-05-02

just came on steemit and its hacked hahah i need to be more careful lol

Yikes. Is there any update on who did it?

·

Not seen anything official as yet..

I have the same problem too but not with Utopian.io but with Busy.org. Mostly related to SteemConnect issue.

·

Was your account used to upvote/downvote yesterday?

·
·

No. Since I do not grant access to Utopian.io. So it happen today and unauthorized vote to someone else. Immediately revoked all 3rd application and change password.

·
·
·

ahh ok. Thanks for clarifying, and best to change passwords often too :)

thanks for your post

I'm glad to hear it was caught, contained and resolved. Maybe I'm paranoid, but these sorts of events make me very nervous because I end up thinking "well, if it can happen THERE it can happen somewhere else."

Steemit — with all its connected apps and initiatives — works through a lot of "handshakes" between different apps, and I always worry someone will exploit a weakness somewhere.

Hope you are feeling better!

=^..^=

thank you so much for the information @abh12345. it's so useful.

This is good post...