First Update to July 14 Security Announcement from Steemit CEO Ned Scott

in #steemit4 years ago (edited)

After conducting further analysis and following hack containment procedures, Steemit has been able to narrow the potential number of compromised accounts. We can now announce that in the past few hours, the Steemit team has been able to coordinate with elected witnesses to secure potentially compromised accounts with balances exceeding $100 US. As a result, we can ensure these accounts are restored to their rightful owners. This process has been completed.

Within the next 48 hours, Steemit will begin to allow all newly secured accounts to reset their passwords simply by logging in with the same Facebook or Reddit credentials that were used to register in the first place. This easy process will work for the vast majority of the potentially compromised accounts. All of these account holders will regain full access to their funds and their original account name.

If your user account was not created through Facebook or Reddit, Steemit asks that you contact our support team at [email protected] We will be able to provide you an alternate solution. If you have any additional concerns about your account, please contact our support team as well.

The Bittrex team is completing analysis of our wallet. Once it has passed their rigorous compliance checks, they will reopen the wallet for deposits and withdrawals.

To all Steemit users:

If you have not done so already, please reset your account passwords. We ask this to ensure that everyone's account is secure. Remember that each account has 3 keys: an Owner Key, an Active Key, and a Posting Key. We recommend following best security practices by choosing unique passwords for each of these keys. This will allow you to safely use with your Posting password.

As mentioned earlier, any Steem or Steem Dollars stolen from compromised accounts will be fully refunded by Steemit.

Thank you all for your patience and support through this process and for your wonderful contributions to Steemit.


Previous Update Here


Confirming the authenticity of the account commenting on this account confirming the account posting this.

Giving suspicious glance at Confirmer and Confirmer of Confirmer.


Confirming the authenticity of the account commenting on this account confirming the account posting this.

Just want to Drop that here: Howto verify yourself and others properly with keybase to make verification more explicit and verifyable. Since you could be compromised, too. :-)

Confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this post confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this post

Don't forget to change the memo key as well. Personally, I like to use the same password for posting and memo for convenience, but I keep the active key password separate and normally not logged in as active. The owner key also has its own separate password and is securely kept offline.

I think you guys handled this security breach really well! Thank you. Steemit has earned my full trust. xD

You got a point, maybe the author can explain. Steemit is however up and working, there is no reason to fake this kind of announcement.

Ned, thank you for 1) disclosing the nature of the issue, 2) promptly communicating and providing regular updates, 3) disclosing your defense strategy and reiterating that Steemit will maintain a zero-tolerance policy for criminal activity on a decentralization platform (this is absolutely critical for the future sustainability and growth of the Steemit ecosystem, especially in light of the recent dark web and related crypto markets; brand equity needs to be cared for) and 4) for ensuring that a more secure system is in production within 24 hours and for immediately containing the threat while doing your best to minimize impact to thousands of other users; the fact that the hacker(s) could only access 260 accounts is indicative of a unique technology structure that you have all implemented in Steemit; bullet proof!

I wrote a blog post on how timely and professional the entire Steemit team have been with its first hack;

Thanks for your excellent work.

Our hardest times are also the times when we can evolve the most. This clean solution only serves to strengthen the trust users have in you and your team.

Full steem ahead!

You've done a really good job ! Thumbs up for managing this attack like pros.

I completely agree, I could honestly say that @ned and his team have responded more effectively to this isolated information security incident than most "too big to fail" chartered or international banks! Kudos to the team and kudos to the loyal community who stuck through to see the light at the end of the tunnel.

Love the transparency guys. Keep up all the hard work. We appreciate it!

This is a real Crypto-Currency site not like The DAO...
Fast , secure and refundable!!!!!Steem it UP!!!

Thank you for your hard work guys. We all love this platform and i'm honestly glad this happened so quickly, it would have been a much bigger headache further down the road.

I could not agree more. Better safe than sorry, and now that the solution has scaled and already has a dedicated consumer base of thousands of users, it will immediately attract unscrupulous eyes and unwanted attention as hackers will be interested in extracting some illegal value for themselves. The Steemit community does not need those headaches! Disrupting the legacy centralized social media tools is hard enough on its own!

Any cryptocurrency with a Top 5 market cap needs to be especially careful, not just from an authentication standpoint (some users have suggested implementing a two-factor authentication module for Steemit, which would help but that is only the beginning), but also from a regular site audit standpoint; these cryptocurrencies need to invest in the proper business continuity planning and disaster recovery management solutions, as well as ensuring that they have access to cyber security and digital threat forensic experts to help 'stress test' the system. This is only the beginning and there will be more and more attempts going-forward.

One last point worth mentioning, the actual Steem cryptocurrency was not impacted or attacked in this particular incident, it was only the website and that has since been corrected by Ned and his team.

Long live Steemit!

good to know the difference right? the steemit website got hacked not steem

I truly appreciate how upfront and transparent you guys are. It makes me very comfortable with this platform.

Thank you very much for resolving the issues! I can now promote #steemit among my friends without them facing the half-working site.

I hope I am not the only one here that doesn't know how to reset his keys... :/
anyone that can make a fast how to guide will get my upvotes. pls link it here too.

But I am old! and so much of the detail is gibberish to me :-( even after reading thru that link and writing it down.
I'll get my computer science daughter to help.

Another question, tho...what happens if I don't do this and just keep my current login to steemit, besides maybe not being protected? Are there any other reasons?

Please do get someone you trust to help you with the process.

You are lucky to have not been directly compromised in this hack this time (although it may still be possible the attacker has compromised you anyway yet hasn't acted on it yet, so it is important to update your passwords). Normally, if your password is compromised with the default setup after registering via Reddit or Facebook, it means your owner authority is also compromised. If your owner authority is compromised, you no longer own your account and no one can help you recover it (with the exception of hard forks but that is a nuclear option that is only justifiable to bring out for truly exceptional and massive attacks like was done yesterday).

So it is really important to have a separate strong and random password (you don't need to remember it) for the owner key and to keep that stored securely off of a computer. A perfectly decent option is writing it on good old analog paper and keeping it in a fire-proof safe (and having backups in other safe locations you can trust is smart, but make sure people you don't trust cannot see the information on the paper). That information can basically act as your passport proving you are the real gardenlady in case your computer gets hacked, so that you can recover your account and funds.

Lastpass is a great choice. It is smart to have password managers such as Lastpass generate the strong passwords for you and save/manage them. So you could use Lastpass to save your posting/memo password as well as store a separate active password.

Normally, you would be logged in with the posting password (see this guide for details). But you can temporarily log in (in a private or Incognito window for example) using your active password any time you want to do any operations other than posting or voting. That includes powering up or down, sending money to other accounts, using the internal exchange, or changing your active, posting, or memo keys. Then once you are done with that privileged operation, you can logout or simply close that Incognito window, and go back to using your normal posting login.

thank arhag. Right now I use lastpass to hold passwords, I was thinking that it's pretty trustworthy, and I have 2 levels of password protection just to open lastpass accounts. regardless, i will try to get help from said daughter :-)

oh, and i read somewhere that when you Power Down (which i'm not doing anytime soon) you'll need the separate passwords because we shouldn't Power Down via steemit? we should do it thru ?....oh, I didn't understand.

Thanks for handling this. My account seems to be unaffected.

Thanks. It's really nice that you took care of this so quickly and are refunding the stolen goods.

Create unique passwords that that use a combination of words, numbers, symbols, and both upper- and lower-case letters.

This is a very important news for everyone who invested in steem!
Shows the seriousness with which this is being treated cryptocurrency! thank you!

It is very kind and responsible of steemit to refund all the affected accounts.

Im done researching about the steem, and i have now fully understand the whole content of it. I think id settle on this crypto than the ethereum. :)


Thanks for the heads-up

Good! thanks for your correspondence.

When will one be able to edit/change account information? It is an important part of a branding to be able to edit the automated avatar for instance.

Wow....hopefully this craziness is behind us now.

Thanks for keeping us updated. We will move on and this is going to be awesome. Screw hackers that want to bring something great down. We will just be bigger and stronger!


Impressive response time!

Good to see that quick action has been taken and the rapid provision of information.

Hang on a sec, reset passwords? How? call me dumb, but I can't find an option to do that in the Steemit UI

Thank you for sharing. Helps keep confidence and sheds light on how steemit works in practice. Keep up the good work

Thank you for sharing. Steemit is the best Blockchain.

Thank you guys for all your hard work, long live the Steem family!



adding two factor authentication may help securing user account from thieft

Please don't tlet this incredible platform turn into a shit show! =(

Hey, @ned, your linkg "Previous Update Here" at the bottom is not working.
Thanks for great job protecting steemit

Pardon me, but did you just say that you still have all the credentials used to create accounts linked from reddit\facebook?
Can you provide any additional information on how securely this account data has been stored?

we must keep a minimum set of data to prevent abusive signups.

u should update ur site every week

Did I miss something? Do I have to enter my password every time I post something? Is it some type of setting or safety protocol? Or is it because I am in incognito mode and don't allow cookies?

And of course it works fine this time. I was worried before because as I would type my password it felt like there was a delay in characters showing up, maybe it's my internet - but I thought someone was logging me or something.

Do 2FA is not planning to implement?

Glad to see the right course of action being taken!

My account was not affected by the look of things, which is positive :)

Fast and accurate action taking. This cyber attack compared to ethereums attack shows why steemit will work while ether will be left behind.

Would be nice if you actually gave simple to follow directions on HOW TO RESET PASSWORD.
You see the Big Picture and miss the Small Picture. I know I am not alone, I see this expressed other places every day.

Very impressed with the way this was handled well done steamit

Confirming that my Bittrex account holds more Steem now. Been riding the waves, buying, selling, and buying back in :)

Very interesting! I like it!

I can not access my wallet of bittrex because the wallet is under maintenance. I had the idea of ​​selling from yesterday and can not do. I am very disgusted with steemit

called the cops, called the Fire Department, called pizza hut, called the USN, called the Royal Navy, called the Red Army, called the FBI. called the CIA, called Interpol, called the KGB, called the USMC, called the USAF, called the Royal Air force, called MI 6, called Scotland Yard, called the US National Guard of every state, called NYPD, called Obama, called the Queen, called Putin, called David Cameron, called every Governor of every US State, used my time phone to call Winston Church hill, As well as Hitler, Stalin, Theodore Roosevelt, George Washington, Montezuma, ever Caesar, and Gilgamesh, called US Army, called British Army in every era, called every phone sexline, called papa john’s, called the US Coast Guard, called my State Senators, called my Senators, called every republican in the US, called Dr. Who, called the Pope, called my local Gang lords, called the State Patrol of ever state west of the Mississippi, called all of my local news channels, called Star Fleet, called The Sun, called The national enquirer, called CNN, called Scot Pelly, called Steven Colbert, called half of the Mexican Drug Cartels, called Nintendo, called the Japan Maritime Self-Defense Force, called the head of the Illuminati, called ever free mason, called bilderberg, called my neighbors, called the mayor of ever city in France, called my mom, called the Emperor of Man, and called every school district in Canada.

if i get 20 votes on a post and the money stay's at 0 dollar.... what am i doing wrong?

I don't understand? When I registered I was only asked for and I only supplied 1 password. Can you pleas elaborate how one is supposed to create 3 separate passwords?

Also, does this mean that the hacker obtained user account passwords? For everyone? Or just large holders?


Is there any documentation on how it works / what the differences are between the 3 keys (owner,active,posting)? I just got here, feeling lost. thanks!

Thanks for the fast update. This shows professionalism, work, and trust.

For people Looking for secure passwords try keepass.

Thanks for the update, confirming authenticity of the account posting this.

Thanks Ned, appreciate the update.

OK guys and gals, for all of you asking questions and wondering how to reset your keys/passwords I just finished completing the steps to creating new passwords for all 3 (Posting, Active and Owner). THANK GOD I wrote these down and saved them before and after I changed them in my permissions before doing anything else because when I logged out of steemit and tried to log back in using my original password I set when linking my reddit account, somehow that password magically stopped working and the login would not recognize that password. Wow. I don't know if it's just me but that password was working fine the entire time until I changed all of the 3 keys, so PLEASE BE VERY CAREFUL. I followed all instructions to the T in ned's post as well as the steemit guides and according to what I was reading, regardless of me changing the passwords to the 3 keys, my original password I created when first signing up should have remained working no matter what, but it simply does not. Currently at the moment I am unable to log in with my original password but thank goodness I can log in with all 3 of my newly generated key passwords. Good luck guys, be careful.

Thank you steemit now i found a place to hang out

This posting says "...each account has 3 keys: an Owner Key, an Active Key, and a Posting Key". I have those 3 plus a "Memo" key. Is there a reason the Memo Key is not included in this alert?

I don't think the Memo key has been fully implemented yet being that steemit is still in beta. As far as what I know Memo will be fully implemented sometime in the near future. No worries there partner :)

Can you define the term "newly secured accounts" Who exactly will need to reset their passwords?

Confirming the authenticity of the account commenting on this account

Я только зарегистрировался)

Thanks for the update. I think that there is no way to re lock the access once you open it up on the website until it resets on its on and requires you to login to view the private keys. Something I noticed. I'm sure there will be many enhancements in time.

just to be safe always check to make sure this is from official steem account

Amazing!!! Thanks

Two factor authenticator

Это нужное дело!

A hacker or steemit transferred my steem to bittrex 4 hours ago. My previous posts have been deleted about this.

Great work!

Ned, i would take this as a badge of honour, if you are not getting hacked and DDoSed then you are not a useful platform that anyone gives a rats ass about, and if you don't get sued sooner or later, you are not a real business. What happened is a fact of operating something that matters. Given how you reacted and dealt with this incident, I'm sure you guys will get the pleasure of putting out fires much larger than this .. really congrats on containing it and acting fast in the right way.

It's just first problems... STEEM rate will drop now and create panic sale. You need to done full release before advertisement! Because you still not seen problems of growth.
Read my post:

Thank you steemit!
I'm glad to see how you solve the problems, and responsible approach to business!
hope it will always be!
I #Girlpower :))