I lost my steemit account last weekend. OTL
I had a terrible thing last weekend.
I lost my SteemIt account ...
Here is the story of the terrible incident.
(I really do not want to think about it again ㅠ_ㅠ)
I often use @krwhale bots and @tumble's steemian support projects. I also sent 0.5SBD to krwhale to promote Korean style pan cake post which was recently released this day. Then I wrote a comment on @tumble to join the steemian support project. I did not realize it at the time ... but as shown below....
Link : P.5ZzzZzZzZnpmjZhZDJuDeZ4SyW88xHtNXhZZZZZZZz3zZ7ZzZzz
Author : @coffeex
This is pan cake posting +__+
Really? I would say ... Yes. I broadcast my owner key to the world.
I tried to copy the link in the post, but it did not copy it, and the owner key that was stored on the clipboard was entered before that. Who really makes such a mistake? I did it. Is it the illusion that the emoticon at the end of the comment is laughing at me?
What did you do with the alternate SteemIt UI while I was doing such stupid things? I can not blame. SteemIt warned me with red English letters. "We do not ask you for the owner key in any case."
Timing is important for an event to occur. I was watching an advertisement at the movie theater to see Detective K 3. Before the movie started, I took a break and enjoy steemit. Just as soon as I enter the comment and see the warning above, the movie will start at that moment.
I ignored the warning and pressed "Save". OTL
In fact, I did not read the warning text correctly ...
I painted a picture to express the desperate feeling of that time. (Tool : PhotoScape X)
I noticed that the key value was left in the saved comment, and the first thing I tried was "Delete". I am aware of the fact that the data remaining in the block chain is not deleted. I tried to delete the comment but it failed and the movie started and I was not able to turn on my smartphone anymore in the movie theater so I ran out of the auditorium.
I realized that I lost my account privileges and checked my wallet.
Steem and SBD that I had in my account that I did not know were all remitted. It happened only a short time after I wrote the owner key in the comment. To be precise, the transfer was completed after 6 seconds, and the password changed after 12 seconds.
[
3046, // Write a comment...
{
"trx_id": "ef971edcebcd93a640ddd13a32281a28dd7fa9d7",
"timestamp": "2018-02-10T12:17:03",
"op": [
"comment",{
"author": "coffeex",
"permlink": "re-tumble-2018-02-10-20180210t121701949z",
"body": "링크 : P.5ZzzZzZzZzzzzZzZzZzZzZ4ZzW88xHtNXhPCMRNGMa3nE7QgFcm\n저자 :@coffeex\n\n호떡먹스팀 입니다 ㅋ",
}]}], [
3047, // SBD transfer after 6 seconds...
{
"trx_id": "846df164f3dec41e4739da2bee08d412a6bb765b",
"timestamp": "2018-02-10T12:17:09",
"op": [
"transfer", {
"from": "coffeex",
"to": "jiganomics",
"amount": "31.304 SBD",
}]}], [
3048, // Steem transfer after 6 seconds...
{
"trx_id": "2c14af1c1b39152b3964a083c56b14819cef8d68",
"timestamp": "2018-02-10T12:17:09",
"op": [
"transfer",{
"from": "coffeex",
"to": "jiganomics",
"amount": "394.950 STEEM",
}]}],[
3049, // password changed after 12 seconds...
{
"trx_id": "00501ccd6babc18dc4cebc5e95e78a40e21c3787",
"timestamp": "2018-02-10T12:17:12",
"op": [
"account_update",{
"account": "coffeex",
"owner": {...},
"active": {...},
"posting": {...}, ....
]}],
I am writing this comfortably now ... but I was very upset at that time. It was unclear whether the account could be recovered.
I clicked the SteemIt menu one by one and clicked on the hamburger button on the upper right corner. If you press it ~
You can request to recover your account using your old password until the 30th day after your account is hijacked. The hacker who hijacked the account does not know the email account that he used to sign up and can not log in even if he knows it. First of all, I hurried to request an account recovery.
Actual account recovery request was made within a few minutes after account hijacking, but if you check it in Account History, it is requested about 2018-02-10T22: 15: 03 which is about 10 hours later, and approve 3 seconds later. It is assumed that the Steemit website has a separate process that receives the primary request and actually processes the request.
3054, {
"trx_id": "3936be26fcdcbb2f4a7d03e912df0683700c8ba6",
"timestamp": "2018-02-10T22:15:03",
"op": [
"request_account_recovery", ... ]}], [
3055, {
"trx_id": "9766fb46d3dd38b38f6480ee1ff4b179fccd84ee",
"timestamp": "2018-02-10T22:15:06",
"op": [
"recover_account", ... ]}],
I did not even feel like asking for an account recovery. I am also angry ... I am requesting a buster call(Call everyone) to the Korean community. + _ + ;;;; Now I think it's a lot of embarrassment when I think about it ... but then I can not think of anything else that I can do.
(Buster call is a full-scale bombardment operation in animation ONE PIECE)
In the meantime, I use Google Translator to write in English and mention @ned. ㅋㅋㅋㅋ This is because you do not have a chance to write and post on the account you used only for testing, so you can copy all the IDs of the Korean community from other posts in a frustrating way. I apologize if you feel uncomfortable.
Thank you very much @julianpark for making the open chat room and comforting me!
I was so frustrated that I was able to recover my hijacked account. If you think about it now, the first thing you can do when your account is hijacked is not to delete the comment.
At first. STEEM, SBD, or power up.
Of course, it is not possible after the hacker completes the password change. ㅠ_ㅠ The hackers perform a series of tasks through the bots, so it is almost impossible to send remittances within the effective time.
Second is. I am applying for a theft account recovery.
Then there was nothing I could do but wait. The next day I was very worried about my account being restored. I made a stupid mistake and I was sorry for myself.
If so, what is the identity of the hacker? @jiganomics ??
I started looking into the history of the guy who took my precious STEEM and SBD. What the hell is that ?!
It was not a user who posted recently. I was getting money from many accounts and all STEEM and SBDs were sent to another account called @monicaways and then withdrawn via BlockTrade. In addition to @jiganomics, there were a few accounts with the same role ... It was not difficult to see if the users who actually sent them to @jiganomics were victims.
Receive 3.709 STEEM from onlineguru78
https://steemit.com/hacked/@onlineguru78/i-got-hacked-on-steemit-please-help
11 days ago Receive 2.769 SBD from alexandera
https://steemit.com/openmic/@alexandera/openmic-week-70-cover-song-by-alexandera
18 days ago Receive 2.740 SBD from fromhell2sky
https://steemit.com/steemit/@fromhell2sky/my-come-back-the-return-of-from-hell-2-sky
Receive 120.000 SBD from justnowandthen
https://steemit.com/@justnowandthen/transfers
그저께 Receive 120.000 SBD from
3 days ago Receive 0.001 STEEM from alexwonderful
3 days ago Receive 187.162 SBD from alexwonderful
https://steemit.com/@alexwonderful/transfers
8 days ago Receive 0.001 STEEM from navaneeth
8 days ago Receive 17.762 SBD from navaneeth
https://steemit.com/steem/@navaneeth/please-help-my-account-seems-to-be-hacked-with-sbd-transferred-to-jiganomics
9 days ago Receive 29.091 SBD from hafizul
9 days ago Receive 0.005 STEEM from hafizul
9 days ago Receive 44.656 SBD from hafizul
https://steemit.com/steemit/@hafizul/thief-alert-please-be-careful
10 days ago Receive 8.327 SBD from sawmyattun
10 days ago Receive 0.259 STEEM from sawmyattun
11 days ago Receive 0.990 STEEM from yanebomg
https://steemit.com/@yanebomg/transfers
12 days ago Receive 0.945 STEEM from minasmsm1
12 days ago Receive 9.638 SBD from minasmsm1
https://steemit.com/football/@minasmsm1/brvs-egy-2009
16 days ago Receive 43.000 STEEM from russiandoll
https://steemit.com/@russiandoll/transfers
17 days ago Receive 0.001 SBD from peacelife
17 days ago Receive 10.963 STEEM from peacelife
https://steemit.com/@peacelife/transfers
Users who left the owner key in the note, typed the key value in the posting and comment, and were remitted by the same method as me. Some Many users have lost a different amount of STEEM, SBD, and they have been downvoting to @jiganomics account and left a comment. However, the @jiganomics account is also not known even if it is an account that has been hijacked or a hacker's own account.
After experiencing this first thing, I was worried about whether it was right to continue Steemit in a very angry and speedy way. My mistake felt pathetic.
Obviously I made a foolish mistake.
But I think anyone can fall into this situation. In Steemit, we work with STEEM and SBD, which are not merely points but are linked to real assets. Does SteemIt really have enough features to protect our valuable assets?
This is the content on the Stimmit Password Change page.
First rule: Do not lose your password.
Second rule: Do not lose your password.
Third rule: There is no way to recover a lost password.
Fourth rule: The password you can remember is an insecure password.
Fifth rule: Use only randomly generated passwords.
Rule six: Keep passwords alone.
Seventh rule: Be sure to back up your password.
I have a strong question on the fourth rule.
Is the password you can remember really unsafe? Passwords that can not be remembered should always be Ctrl + V. It can be stored in a clipboard that is difficult to see by eye and can be pasted by mistake at any time. Could you remember that a strong password over a certain condition is more secure?
I want to make some improvement requests to SteemIt.
- Apply 2FA certification when sending more than a certain amount, such as 10STEEM, 10SBD
- Let's not send money with Active Key only
- You will not be able to sign in with Active Key on other pages, but you can log in and send money from your account's Wallet page. As a result, you can send money only after logging in with the active key. Even if you do not use the owner key and use the posting key and the active key, it means that you can lose your asset when the active key is exposed.
- Posting and commenting will be more clearly recognized by translating the warning messages that are exposed when you enter your private key.
- I think I can improve myself using the Utopian.IO project.
- Let's close an account that is clearly aimed at malicious activity
- Accounts such as @jiganomics and @monicaways do not do anything for the steemit ecosystem. Even if it is not hacking aggressively, it waits for the users' mistake and gives them asset peculiarity. This economic and psychological damage will give a really terrible experience to Steemit users.
- Lock your account in the same way as a hacker used to expose your private key, and help your account recover without hassles through account recovery requests.
- It is difficult to operate 100% effectively. If it is faster than a hacker and it is not an official function, it may be possible to buy a misunderstanding to some users. However, I think that if you run it with clear rules and get advice and help from many developers, you can protect users who make mistakes that lose their keys from harm.
- Fortunately, a Korean developer has already implemented this feature !! Please give a lot of encouragement and support.
- @otac 's post : https://steemit.com/kr/@otac/4slajo
Feedback and advice.
There seems to be a shortage of my concerns and suggestions. Please give me lots of advice and feedback. Thank you for reading the long story.
Everyone should be careful to manage their own private keys! Do not let anyone suffer the same thing as me.
Yes, I had a similar incident. I had posted my key in the link meant for the photo credit for a post that I had made. You see to have lost a huge amount of Steem. I lost 17 SBD but it was all my hardwork. It's sad that no one did anything about that particular account. I had emailed the steemit security team but got no response, tried reaching out to a lot of big names but maybe they were too busy to worry about my meagre 17 SBD. But this account needs to be stopped.
Yes, I think that accounts with malicious behavior should be closed.
I agreed, we just complain about this, it seems we are a small fish. We can do nothing. I guess, someone who has a big amount and made robot fake account, try to catches a small fish like us, who made mistake by post private key.
becareful please actually there are over 15 bots who check exposure of private key by mistake
in real time.
Every mistake makes us stronger, better and gives us experiences. I also posted my old passkey instead of a link I wanted to post. At that moment, I wanted to hurry and made a big mistake. But now I take it easy and control my written words and links. I never saw my lost money again. But so I lerned my lesson.
I agree with you, me too! i'm lucky i got my account back. After i posted he took all my 187 SBD. I learned my lesson.
Yes. We learned a great lesson. Do not make this mistake again. But human's mistakes repeat. I think We should have systematic safeguards.
yes same incident happened with me i lost my some funds then i recover my account u lost huge amount of money thats really really sad and bad experience steemit dev should be notice on it.
they have to caught him through his ip address.Hacker can change ip address but steemit have to try to caught him steemit have to do more secure and reliable platform for user it can be happen with anyone and i also mention in my about section i wrote it i hacked recently please be aware when u post or comment something.
@coffeex sorry for that such a bad experience.
2FA should be good.
I think 2FA is necessary. it would be a good solution if individuals can choose whether to activate.
Right. We need to provide Steemit with a safeguard so other users do not experience such a sad experience. @onlineguru78 I hope to have good things for you in the future.
yep sure you are right there should be 2FA maybe Steemit dev team will add this option.Hacking is now very common thing on internet we have to secure our all accounts and keys with doubled security system like 2FA or email verification.
some months ago unfortunately someone steal my blockchain wallet key and password i dont know how he get that thats not a phishing attack he put my key and password but he cant log in because i set 3 layer of security the first email verification 2nd 2FA and 3rd again another password he cant get logged through the all process he just had single password and he cant access on my account i did lose any thing i mailed to support center about it then i changed my key and i still have same account but i dont transfer big amount on it.
steemit also have to make security like www.blockchain.com
Yes, I agreed. It seems like anyone can steal this money on this site. after you were posted by mistake.
Oh no! So sorry to hear that : ((( Must have been an awful experience. So.. after all, everything went ok? Hope you are feeling better now! Cheer up coffeex!
Thanks Chocolate Girl !! It was a terrible experience, but now everything is okay.
Hello, I am a victim too! I was checked and talk with @jiganomics already. He said that he was stopped use this account last year ago. I think someone has used his account. We told him to go to see Police because if he got hacked like this all the time. The people will hate him and he will get trouble. someone get angry at him too much. I'm not sure, it's him or not. His account is a robot too! After you're failed, he will take it immediately. haha it was funny after i had posted he took it only 1 minute. I tried to recover my account and then i got it back. I feel sorry you lose all your steem and SBD. Now! we need to be careful more and when copy link need to make sure you can copy it. I hope who take care of this they are listening to us. And hope he should be closed his account as soon as possible, No more Victim. All we learned from our mistake and carefully. He could not deserve it from us. Because we're hardwork. God bless you dear.
My comment was also ridiculous. I never imagined that I would make such a mistake.
Have you talked to @jiganomics? However, the account still collects mistakenly exposed passwords and takes unfair advantage of it. I do not know if he is the owner of the original account or if he is also a stolen account. One thing is certain, however, is that we need to close accounts that only do this malicious activity. Tell me if you have a good idea.
Honestly, I don't have any idea now. We need the whale to do this. I don't know how, try to contact who is responsibility of this. Do you contact Ned? I want him close his account too!
Ok Thanks ~ I want to find out what I can do.
Congratulations @coffeex! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Click on any badge to view your own Board of Honor on SteemitBoard.
To support your work, I also upvoted your post!
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOPThanks for badge. That's cool!!
저런.... 프라이빗키 저도 조심해야겠네요......
모쪼록 잘 해결되셨으면 좋겠네요 T>T
kr 커뮤니티에서 @otac 이라는 분이 개발한 알람 봇이 있는데
여러 기능 중에 해킹 방지 기능도 있더군요.
(15개 이상의 해킹봇이 돌아다니면서 프라이빗키 노출을 실시간 검색한다고 합니다 조심하세요.)
네 ~ 본문에서도 @otac님이 개발해주신 봇 소개했어요 ㅎㅎ (kr 커뮤니티 자랑 ㅋ)
#coffeex i got scam from guy and back my account with email rec emil VC
It would have been a painful thing. I am really glad to have your account back.