Utopian-io hacked / Keys are 'safe' / I've changed mine anyway / Small voting break
Hi all!
Those following my blog know I don't need further reasons to race to the toilet at present, but that almost happened this afternoon when I saw my steemworld.org screen light up with 4, 100% upvotes to accounts I did not recognize. Shiiii...........
pixabay source
First thing's first - Start sweating and go find my master key!
Thinking I'd been targeted, I changed my keys for this account and my alt. account as checking the voting there i saw the same was happening. This actually made me feel worse for a second, and then better as I realised that some smart-arse was doing this en mass, and that I might not be the sole target after all.
On checking the posts that my votes had been cast on, I saw a number of other voters who would likely not be there too. Ok. Phew. Not just me then!
After I'd changed my keys, I visited steem.chat and pinged a few knowledgeable types on discord to try and find out more information. The individual apps relating to steemconnect were being mentioned as the source of the 'hack', and so I started to revoke permissions to these apps I'd registered here: https://v2.steemconnect.com/dashboard
steemconnect were also being mentioned as the possible source, and it was then I was invited over to listen to an emergency meeting on the @utopian-io discord chat, where I saw the following:
I managed to catch 5-10 minutes of @elear explaining the situation, and it sounds like a major trust was broken within @utopian-io for this event to happen. The steemconnect token (stored locally by @utopian-io) was taken by the hackers to act on the users' behalf, issuing votes programmatically.
Always be extra nice to your DBAs
Having worked in the IT industry for almost 20 years, in and around Database administration, it is just a fact that your Database Administrators have access to information that as a business owner, you'd rather not let them have, but you have no real choice. You just have to trust them.
I've signed pages and pages of documents in the past, stating that I will not be abusing or misusing any of the information that would be available to me. And although the small-print escapes me right now... I would have likely been prosecuted if I had done so.
Unfortunately, @utopian-io does not have decades of experience, laws, and legislation in place right now, and while this has perhaps been a positive in allowing rapid development of the business, it has to be seen as a negative today. I feel sorry for @elear and his trusted team members, and I really hope @utopian-io can bounce back from this.
On to the votes I didn't cast.....
Well 'I' did give a couple of down-votes, but hey, the reward pool probably needs a little hand now and again so lets skip those and go to the upvotes :)
After reviewing these posts for quality, and seeing that they have all been bot-boosted, I decided to remove my vote from all.
Beautiful maybe, but $200+ for a flower is a bit excessive to me.
Today I learned that I can quickly reset my keys and copy them to multiple offline locations, this was a good 'under pressure' exercise without that much harm done.
It is my understanding that @utopian-io will continue to accept contributions via other condensers, in the next 12/24 hours.
Stay safe everyone, and have a good weekend!
Asher @abh12345
Hello guys. I'm a representative of @utopian-io. We apologize for the leak and are working on tracking down the hacker & fixing possible holes. I'd also like to confirm that your keys are completely safe.
We want it to be clear that but we are not, in any way, associated to the hacker that used these tokens for malicious intents. Please join us on the discord channel if you want to know more about the issue. An official announcement is coming.
Hi @jestemkioskiem
Thanks for the clarification message. My post should not be taken as an attack on @utopian-io in any way, I've long been a support and contributor to the project and hope that the project will bounce back from this setback.
Thanks again.
Not at all! We appreciate the shared message! I'm just here to make sure it's clearly understood <3!
Thank to @steemchiller for the information provided trough Steemworld. and good think is you checked it frequently what happen about your blog. hope this won't happen again in the future @abh12345. regards
Well at least it was caught and dealt with somewhat quickly. That is one nice things here we don’t have to wait around 6 months to find out about these short of things. Have a great weekend as well!
Yes indeed. The chat rooms were buzzing, and the meeting held by @elear was full of interested parties.
Clearly this doesn't look good for them today, but I think they can come back better (and more secure) in future. Cheers!
Thanks, whomever...
...The Boondock Saint of STEEM lmao
I knew there was a much better title for this post! haha :D :D
Ahah, I've been staring at the monitor with an angry face about 5-6 hours and this one made me laugh hard.
Well that's good, i think! Wait....... are you laughing at me? fk it, I don't care, laughing is good! :D
I woke up to see this fire had flared up and been put out. I'm not affected, but it's shitty that many people were. I've always done manual curation, and this gives me another reason to stick to that. I know for many people voting trails are important and auto-votes as well, but I'm gonna keep it simple, myself. Have a wonderful weekend. Hope you're feeling better!
Yeah it was really worrying for a few minutes!
A good exercise though in the end, just a shame for utopian. I'm feeling much better thank you, and enjoying my weekend - I hope you are too :D
I was having dinner outside when I saw an everyone notification in a group that never uses that and when I checked and saw the need to revoke Steemconnect access because of possible breach I felt my balls rise up to my throat hahaha
It was not a pleasant feeling at all hahahha and I never knew I could act so quick and using a mobile and painstakingly writing the new keys hahahhaa
I would have had no chance on my mobile, a great effort for being able to get it sorted on the move!
Yesterday was a crazy day because of this, we got a lot of reports about it, starting with @runicar who was the first to contact me directly. There's no way to guarantee security. Can do whatever it takes to secure something but it's never 100%. Devs leave back doors, hackers have mad skills, servers have admins, etc.
Have to say Utopian handled it pretty well and were responsive on Discord. Communication is a big part of the game. We've got a lot of security issues, phishing mostly, going on right now. The user base is more aware which in itself was a big mitigation by the looks of it.
Absolutely, and I'm not 100% we've seen the end of this due to the above.
Utopian have handled it pretty well, it's a huge hit for them as the hacker/s wiped servers and destroyed backups. As I mentioned, there has to be trust in at least one other person and normally more in business - a solid employee turned major rogue is I guess one of the biggest risks (with low possibility) on the matrix.
Phishing has seemed to increase, pretty low-life imo and it is a case of user education as you say that can help keep damage at a minimum.
Cheers.
I watched those flowers grow.. :))
More and more Upvotes.
Most fun:
100% from jerrybanfield:))
Jerry is going to be pissed as the person did not even pay for it hahahaha I think he will be pleasantly surprised on his pay out hahhahaha
Jerry will get some nice curation rewards if he chooses to leave his votes there. I wonder what he will do....
BOOM!
Do yo think he will leave the votes?
Make your bets!
I really don't know
I think he will 'forget' and collect :)
I panicked too when I saw it all over Discord @abh12345. But then I took a deep breath and checked my votes. I couldn't see anything untoward. Phew!
Will change my keys anyway I think. As you say, it's good to know how to do it quickly.
Glad to hear it wasn't too bad for you.
Are you fully recovered now?
I think you will be ok unless you've signed into utopian-io, but it's a good exercise to update them from time to time :)
I am feeling better, but the toilet issue is far from solved! Thanks for asking!
Oh dear. Sorry to hear that!
I haven't signed into utopian-io so I should be OK then. That's good to hear. 😁