You are viewing a single comment's thread from:

RE: @samstonehill has been hacked & cannot be re-accessed. How did this happen & what are the solutions?

in #steemit4 years ago

Whilst I think websites like anon.steem which permit you to buy steemit accounts with no email address are GREAT, one must be aware of the potential problems in doing so.

Actually, you'd have been safer if you had used AnonSteem.

We recover accounts generally based on you having your original order ID and an old password, as well as some clear way to prove it's still you (e.g. your twitter, steemit chat account, discord etc.)

But, we can also recover accounts if we just know it's you. Maybe something as simple as a video call, to see you're clearly the same person from the images, and I'd happily enable recovery for the account.

I reported the phishing domain to GoDaddy last night after I got the spam to my own STEEM account, though they seem to be making new ones constantly.

You might be able to contact some STEEMIT staff, who could enable recovery for your account if they verify you through alternative means as I suggested.

@ned @sneak


I don't understand how accounts can be recovered in a trustless and decentralized way if someone is deciding whether or not they want to recover it.( based on their subjective opinion) Please explain

The account can only be recovered if someone knows one of the old passwords.

This means even though I can start the recovery process for an account made via AnonSteem, I can't actually change the key without having at least one of their old passwords.

Account recovery is something that cannot really be done without some form of trust system, otherwise let's say the hacker figures out your "secret information" you use for recovery? Well you're definitely screwed now.

It's possible for you to change your trustee, but you have to wait 31 days since the last password change to do that. You could for example, create an AnonSteem account, then 31 days later change the trustee to @steemit - which would make them responsible for recovering your account in an emergency. Similarly you could even set it to a friend.

Yeah. That's was the obvious part I was missing.

Also thanks for clarifying the trustee can be change. Such a well thought out feature that is this recovery account thing.

Thanks for your answer. What I don't understand is that samstonehill said steemit needs his email to recover the account, why ? They should only ask for old password not the email. no?

Account can only be recovered by the account recovery person and only if the master key has been changed in the last 30 days.

If the account has been created on the recovery person is @steemit If the account has been created by other means than then the account recovery person can be chose by the person who create the account.

This is why anonsteem can be the recovery person. The can only change or recover the account if the password has been changed in the last 30 days. I'm not sure if I forgot something or if my explanation is 100% correct. Maybe @someguy123 can confirm.

Great and all untill @someguy123 dies and then what? I hope he has deadmans swicthes set up! sory to be so gloomy but taylor swift has said, 'I dont trust nobody and nobody trusts me' so is anon steem realky better? ior is it just some guy? lol woah didnt even meam that but yeah isnt it just some guy trying to pretend he is like a company? i mean, i hope at least 2 people run anonsteem! bevcause if something happens to like theone guy who runs anonsteem and then u cant get ur account recovered, then what?

Sorry thats just my lil "hat if" scenari, juyst being a contrarian

yeah anyway I always used to ask about how the account recovery works, but i have to remind people, Steemit is not Bitcoin

we dont use proof of work, we have Delegated proof of stake, that chanegs everything when it comes to doing stuff like being ABLE to do stuff like a Wallet recovery when Bitcoin has no wallet recovery for hacked wallets... lol But imagine if Bitcoin network actualy decided to do a hard fork to reverse all transactions that were from hackers stealing funds, you could have like a hard fork of bitcoin where all contested transactions are reversed and you have a central authority to do that stuff, and thats kind of what steemit is because all the witnesses kinda know each other and thats one simple way to look at ity.....

but in reality the witness nodes are decentralized and steemit inc is just one steem gateway.... steemit inc cannot really do any more than any one person with steem account, a steem account can be created from any already created account..... and you can make your OWN steemit gateay like chainbb or .... thething is all witnesses have to agree tio run teh same software... that software has to behanded "down" from some centralized locaytion and thats steemit inc for now, am i right or wrong? I am not sure thats jjust my guess.... but it is only like that for now

in the future we will become more decentralized so that steemit inc can be shut down and we could still carry on... in fact if busy,org has a powerdown and withdrawl function... then i am pretty sure we could be using that incase is down.... wel no bevcause it cannot create accounts i dont think? at least not for free?/? I think we would need a new gateway that can create steem accounts and tHEN we wouldnt need but h,, yes its strange @someonewhoisme it seems counterintuitive at first BUT its not, its makes sense when you know how steemit works and how yes it is decentralized but the steemit witnesses all agree on everything or else we would not have consensus, but we have this sort of hivemind but its a decentralized horizontal hivemind.....
I think that you have to realize... steemit is not bitcoin and bitcoin does not have witnesses but just bitcoin miners and nodes and you dont have a centralized way to organize them all like you do on steemit where you can talk to everyone over the steemit forum...Bitcoin would need to freakin use forums to actually communicate instructions and news to all of its network miners and node operators whil steem blockchain has this built in social media network that lets people talkto each other and also to amake announcements where the important ones get to the front page and everyone gets to see them!

So you see, that and how we are Delegated proof of Stake allows us to actually do things regular POW bitcoin cannot do! through consensus of witness nodes we can accomplish great things for the community! Its software and all software is maleable its just a question of getting everyone to agree on overall system wide changes, consensus, its magical!

that software has to behanded "down" from some centralized locaytion and thats steemit inc for now,

The Steem software is publicly hosted on github just the same as Bitcoin. Both can be fork. For now Steemit Inc are the one most knowledgeable about the code but anyone can study it. It's open source.

What you said about the fact that if something happen to the recovery partner is also true if the recovery partner is Steemit. If the person or persons controlling the Steemit account are ill prepare in case something happen to them then they might not be able to recover the account of their people. I think the recovery partner can be changed. I'm not sure. Not through steemit but through steemd. I'm pretty sure it can be changed.

If all witnesses agree to something then they don't have to conspire to make something happen, they all agree. That's what happen Steem is updated. I don't remember how many % of the top witness have to agree but the update goes through.

For some witnesses to conspire and trying to pass false transactions would be almost impossible I think because other nodes would realize what happened and then people would very soon vote those witnesses out of their place. It would also be much more complex than people realize and those people/witness would probably have to know how to recode part of the Steem code. Not realistic stuff for many reasons.

Creating Steem account almost for free is coming in the next update and if it wouldn't it would probably be an easy thing to code if Steemit Inc didn't want it but everyone else would want this feature. The thing is Steemit Inc want this feature probably more than anyone else.

why does steemit need email to recover the account?

It's a way to help them prevent the person who just steal the password to initiate the recovery process claiming they are the real owner of the account. They don't really need it if they can prove the identity of person trying to recover the account by another mean, in fact the email is far from being the best way but for Steemit it can help.

Anonsteem uses other means and other recovery partners could also use other means.

I know, it's a bit another issue but I have a question though.

Is it possible to get back STEEM I have sent by mistake to an account?
E.g. I sent STEEM to @minnowboster ( with one o instead of @minnowbooster with 2 o's?
I mean, there should be an option to reverse your actions within a given time frame.

the email is the second factor authentication on the identity part of the account and other security mechanisms for anonymity.

Wow! I was not aware of this at all. And I apologise for my assumption. I will amend this information immediately. Perhaps it might be worth adding this info on your main page? Now that hacking seems to be a topical issue, I believe it would make people feel safer.

This info certainly makes me feel a whole lot better, as this new account was bought with anon.steem! Thanks for your awesome service by the way 🙏🏻

And your suggested systems of proving identity make a lot of sense.

I have written to [email protected] and explained the full story... and I hope they will let me verify my identity with something as simple as a video call :)

Thank you for tagging @ned & @sneak here. I hadn't thought of that.

@samstonehilltube :D this is quite unfortunate, I wrote a bit longer of a comment and I'm sorry you lost your "fortune"

First of contact the team and ask them, any of the devs on chat, ned, sneak whoever on the rocket chat.

Second you've done the best already, I was tired of watching scam posts, but it is how it is, I was going to write a security 101 ... What I've learned from games is "Never tell anyone your password" privacy is important as is thinking, you basically went into the perfect storm, but next time, if steemit needs your password, what for, why would they, there is no reason, they have their accounts..

Pfishing is going on since emails exist even before that, people have been getting scammed out of property, whatever weak points you have will be exploited if there is gain to be earned .. some people are like that, anyways freezing accounts would be nice in such occasions, but I'm not sure how features would be implemented without the potential for abuse..

Just keep in mind there are many greedy and stupid people..

I'm happy you have grown so much :)

and that you have spread what you have earned, whatever is lost rarely is, I'm sure you will make it back up in no time, in the case of the account not getting recovered.

There was a famous quote from a millionaire that he can make everything back up even with a shirt on his back, I hope this is a worthwhile experience to any ego driven mind, which is all of us. Possessions are not worth anything and we have put a lot of value into a lot of objects

Ridiculous Account Security in a decentralised app..

I'm sure you will pull back, you have a beautiful life :)

Let the traps fall into themselves.

Thanks for the clarification on anon.steem and what you did. the next time i wanna register an account for someone who wants anonymity, i'll use your service.

I have used it many times. It's great! Especially now I know accounts can still be recovered without giving an email address :)

I am thankful that you have been able to get your account back! Losing all that work put into it would be heartbreaking.

This scam was discussed in the #security channel on If anyone sees anything similar to this scam, simply get on and ask for help first. It doesn't hurt to check in the official #steemitabuse channel too. I had reported this particular scam to that channel as others had. The admins were working on it too.