I just hacked 1 account on Steemit! ~$45 in STEEM and SBD is under my control. But I am a good guy 😇 So...
As you probably know, on Steem we earn tokens that have value. If something is worth it, many people may want to steal it, and our goal is to take care of it as much as your own pocket. However, not everyone knows how to care for it and how important it is to care for a private key.
As a curator, I check the chat from time to time - I noticed that @szrociak threw something strange on Steem Chat, a strange string of characters that is strangely familiar. A few seconds to think - it's probably the key from Steem.
I enter the data - it works, I'm in his account. In that case, as a curator I have to remove the private key, because someone can steal tokens. As I am using Pidgin, I have to log in to steem chat and delete it manually, but the entry is missing.
Pidgin
Pidgin is an internet multi-messenger. With it, we can talk (eg through Jabber) and conduct conversations on Steem chat or our Discord - all from the same application. There are, however, things that Pidgin was not designed for. You can write with others on it, but for example, edits do not change entries, only get a new version of the entry - which means that you can not delete it by typing and editing the private key on my side!
Money money money ...
The first from what I started this action plan. In general, I could change the password and wait for the szrociak to appear on the chat or something. I asked our witness @jamzed, who advised to leave the password, but only contact with szrociak (low valuation of the account).
I sent an email to him, I contacted him through the chat and even his colleague (?) - @bolgan. Finally, maybe Bolgan contacted and the password was changed.
Print Screen
I accidentally sent a key - what to do?
In my opinion, you need to make 3 steps as soon as possible:
- Try to delete the key (from chat etc),
- Give free money in Savings - it's better to wait 3 days for them to be paid out than someone would transfer to your account,
- Change the password.
And it's best to use posting key :)
At the end
Thank you for reading, I hope that at the right moment you will work similarly. The private key is the most important thing for many people, it's more important than the password. The most common method among Bitcoin is (if you adapt it to Steem):
- Printing a private key on a piece of paper from a secure Linux distribution (eg Tails)
- Using only a posting key and once in a while to withdraw from a secure system to log in with the master key
Great Security advice.
It's not a hack ! :D But yeah. Guys whatch out for what you are pasting with ctlr v.
Yep ;) But maybe is is possible to create a bot for that? All Steemit keys start P5. Maybe it has the same string long (for example 30 signs) and steem.chat can warning before you paste it into chat
lol. Yeah this is crazy mad idea man. Bot could search all steemit transfers and look for p5 in memo, then it could log into their accounts and transfer money to it's account.
It is possible, but probably fixed. Title of post is from my friends title
https://steemit.com/steemit/@noisy/we-just-hacked-11-accounts-on-steemit-1158-sbd-and-8250-steem-is-under-our-control-but-we-are-good-guys-so
He find "a bug with memos" and fixed it