Important Security Announcement: Steemit CEO Ned Scott

in #steemit6 years ago

Steemit was today subjected to a cyber attack. In the attack, fewer than 260 accounts were compromised, and less than $85,000 worth of Steem Dollars and Steem may have been stolen.

The hack has now been contained. User accounts and wallets are not at risk, and we hope to soon reactivate the Steemit website to normal order. Any users whose accounts were compromised will be completely reimbursed.

Though only a relatively small amount of Steem was stolen, we take any form of criminal activity against our community extremely seriously. We have reported the hack to police and other cyber crime authorities, including the FBI. A full, internal investigation is currently being conducted and we are working on an immediate solution.

Partner exchange Bittrex was informed of the compromise and is actively helping the investigation. As a precaution, they have temporarily suspended the ability to deposit or withdrawal Steem and Steem Dollars from their exchange. The suspension will be lifted as soon as possible.

Thank you all for joining us on Steemit. We apologize for the temporary disruption of services and look forward to resuming operation of our social network.

Regular updates will be provided here on



This article should mention that the Steem protocol (the "coin") was not hacked, nor was any smart contract running on top of the Steem protocol. This hack is a website hack where a hacker stole funds and account credentials, and not a hack on the coin itself, at least according to the best information available when this article was written.

The Steem protocol (the "coin") was not hacked this time . I own steem coins and would like to move them off line to a wallet to store safely but alas I cannot find a wallet if someone knows where , I would appreciate a link .Thanks in advance

Have you looked at Bitshares Openledger? They let you buy and sell OPEN.STEEM that you can then turn into anything of your choice via a service called Blocktrades. You own your own wallet in form of a "brainkey". The Openledger network run on a MIT designed blockchain dubbed Bitshares and is backed by BTS (underlying currency is Bitshares) i am coindup-hasho on OL
use my referral link

Which also means that a hard fork can't fix it.

I'm glad to see that too. Platform should develop no matter what happens.

Do people with big holding should consider changing their owner's/active keys?

My guess would be whatever key you login with may be compromised, but I have no clue as to the hack details.

The lesson (re)learned is to use a secure password that is difficult to guess. Also, I am hopeful that two factor authentication makes its way here soon.

Do you know how the attacker got in? I assume they altered the javascript to exfil private keys, yes? How do you know how many accounts were compromised? It might be wise to cycle everyone's keys at this point. I'll definitely be updating my posting key.

Yea, I was thinking something along these lines as well. XSS to grab a js token. I haven't looked into the site code, but I seriously hope they're not using js tokens and are instead using http only cookies.

At least is now been compromised, and from this experience Steem will up lift there security. Lesson learn.

Now that steemit is in everyone's crosshair, #3 on the top cryptocurrency list, we need to take development and security uber seriously. We should have 2factor or phone based ( coinbase does this) security features. Thanks for your updates.

and a account page so we can link our email and be able to change our passwords and forget my password to the site

that does nothing for site security, and actually puts individual users at a higher risk as now their email is now an attack vector

I could not agree more. Now that the solution has scaled and already has a dedicated consumer base of thousands of users, it will immediately attract unscrupulous eyes and unwanted attention as hackers will be interested in extracting some illegal value for themselves. Any cryptocurrency with a Top 5 market cap needs to be especially careful, not just from an authentication standpoint (some users have suggested implementing a two-factor authentication module for Steemit, which would help but that is only the beginning), but also from a regular site audit standpoint; these cryptocurrencies need to invest in the proper business continuity planning and disaster recovery management solutions, as well as ensuring that they have access to cyber security and digital threat forensic experts to help 'stress test' the system. This is only the beginning and there will be more and more attempts going-forward.

One last point worth mentioning, the actual Steem cryptocurrency was not impacted or attacked in this particular incident, it was only the website and that has since been corrected by Ned and his team.

Long live Steemit!

I dont think 2 factor auth would have helped in this scenario. It seems like the server hosting was compromised.

Unlike other crypto, Steemit's cryptomoney is mostly custodial. Since Steem Power is locked up for 2 years, that may greatly slow down a hack but like the DAO has shown, a slow mo train wreck is still messy. This platform is way too cool to go down in flames. We really need world class security going forward.

Don't forget, the Shapeshift theft was by an insider. Yuge lessons to be learned there too.

2 factor definitely. This was a wake-up call to get serious. You can spend a lifetime creating a good reputation and loose it all in 5 minutes.

And if anyone on Steemit is re-using passwords... please stop doing that. I bit the bullet a while back and started using KeePass (open source) password manager. I have mega strong passwords on my Steemit keys and everything else important these days, and so should you.

Remember, your Steem Power and bitcoins just may be your retirement fund.... protect them!

Great job @ned and the rest of the team. Good action taken, looking forward to the future!

How did they hack those accounts? Key-logging so they knew people's passwords? Or did they harvest stuff from reddit, and the users who were compromised used the same passwords as their reddit? And will the people concerned be able to change their passwords?

my respect for being honest and clever about this - I´ve informed the millionerds of about it - they are happy as well.

We believe in you guys, keep on keeping on!


Maybe the Steemit website needs 2FA? I was wondering why it wasn't an option for my profile?

I mentioned in the Slack channel a week ago or so that I was concerned that we are starting to pile up funds and we could become a target like the DAO, I suggested 2FA and limited login attempt security, I haven't tried but I don't think you get a time lock if you enter the wrong password too many times. Also articles that provoke other media platforms are dangerous and makes us a target while we are still in incubation.

The coin price remained stable luckily and most of the damage contained..


Ricardo Goncalves (BNC Steemit Community Manager)

Correct me if I'm wrong, but 2FA does not protect against cross site scripting attacks, does it?

Hi @Scrawl I'm not a dev so can't answer that. Thanks for bringing that to our attention though. Most exchanges use it, so in my mind it has some security benefits.

I totally agree 2FA should be implemented!

There are many ways to log in which are more secure. 2FA probably wouldn't have any significant impact on security. Multisig already exists and you can separate your owner key password from your poster key.

So I suppose you can improve on this technology by allowing a third party to hold a backup key in case something bad happens or something similar to this.

How about limited login attempts to prevent brute force attacks? Someone could possibly hack the main owner password if not set securely enough by the user? What do you think?

I am new here, but excited about the project. Is there a guide somewhere that explains the best way to secure one's Steemit balances, especially if they grow somewhat large? Or is it just a matter of using strong passwords? Where are my private keys being stored when I sign up? Any other security tips would be greatly appreciated. Thanks!

I'm probably not much further than you are in this new platform, but you can find your keys in wallet/permissions. I changed the passwords that access my keys this morning. I use a password manager (KeePass) and the are strong passwords, but easily accessible to me on any of my gadgets.

I'd like to know the difference between 'active key' and 'owner key'. Anybody?

I consider measures like these a must, I develop a number of crypto services that hold users funds, security, even the basic stuff, cant be taken lightly. My general guidelines tend to be, dont inform password/username is incorrect, simply state invalid credentials. lock the account for 5 minutes after 5 invalid login attempts, dont notify on the login screen that this has taken place, notify the account owner via email. Enforce strong passwords. I tend to be making 2fa mandatory now also.

Or completely overhaul the login system all together, I demo'd a proof of concept user registration/authentication system using Jumbucks addresses and cryptographic signatures, all wallets have this functionality. user provides a username and address on sign up, nothing else is required (email optional if they want notifications), user verifies ownership of said address by signing a random token using their wallet. to log in, user enters username, a random token is then presented, they sign token using the address they provided on registration, and boom their in.

I was wondering why this wasn't an option also.

You're not legit until someone tries to hack you these days :)

You guys are kicking ass! Keep doing what you're doing, and keep building a fantastic community.

Transparency in this type of situation is more than we can say about the US government these days :)


hahaha so true :D

I can imagine the DAO hacker saying "oh boy, just nabbed a boat load of Steem Power... in 2 years, I'm gonna have some real fun!".

See this here is the kind of transparency not normally seen in crypto. Bravo you all. Bravo.

Wow. So Cool. Posting from CLI. LOL..

Thank you for your quick actions. My immense confidence in you and your team has only increased as a result of your handling of this situation.

This post and the way the Steemit team, handled the incident are admirable. With the current userbase numbering 26,000++, we should all realize that Steemit is comparable to the featal stage of human growth. Weakness and attack vectors are important to be identified and rectified. it is much, much better to discover these ASAP, instead of having them in the future when Steemit userbase has beaten FB's 2,000,000,000++ registered users, which by then this kind of attacks would already be gigantic, if not devastating things to resolve.

So I would like to congratulate @ned, @dan and the whole team instead, for having handled the situation with a lot of grace and by doing so, might have mitigated future bigger attacks.

Here looking up on you guys. -east

Thank you for the great communication. Finally back on, I was having withdrawals and I've only been here a couple days.

Glad to see the site back up and running! It's quite commendable that you are reimbursing anyone who lost $ during this hack. It should inspire some confidence in people to stick with the platform for the long haul. If another layer of security could be added, it would be great! Cheers!

Thank you very much for confirming this and for your openness. Your ability to reimburse if needed also says a lot about your team. Respect!

Wow this is extremely disheartening, but at the same time it is given me more confidence in Steem. Why would you ask? Well it is simple, the hack was not directed at the actual coin, but rather individuals. These individuals probably had some security flaws already.

Anyways, I am here to stay!

Why was the Politics topic link removed during the hack? I find it funny that my article regarding Decentralized Globalization was starting to trend just as this happened.

Here it is:

I'll give you an upvote for being slick lol

Seriously, this happened. And as of 6 minutes ago someone's gone and posted the exact same content.

This article is trying to coin my idea straight after the hack has been patched:

This is some bullshit.

You are implying that the hack was somehow to stop your articles from getting traction?

Not specifically but I am implying that's what happened. The critical theory I posted is articulately laid out and dangerous to those in the high tower.

Guys, I'm not sure what kind of cyber attack it was but I think Steemit community has a lot of motivated engineers and security experts that could have potentially eliminated the problem BEFORE it really occurred.

Any plans to open the source code of Steemit website?

yeah whats up with that

I can recommend experts in security and blockchain development

@ned we're all here and waiting for more information from you, we hope the news is good for the future steemit, cheers

Wow. How much sleep did you guys had in the last 24h?!

Looks like you've handled things well, that is a very small amount stolen.

Would be interesting to know how they got in, was it a cross site scripting vulnerability?

This hack is a good example of why we need more clients for Steem, preferably open source. being the only usable portal into Steem is hampering the decentralization aspect. Is there someone working on alternative clients?

Let's hope... As awesome as steemit is, there needs to be more decentralized platforms to utilize.

STEEM: The only website in history that made (as of this writing) $1,651 off of the announcement admitting they were hacked and accounts were compromised. #legit

Bahaha so funny

I hope Steemit Can be tightened, for the convenience of the public and provide steemit better comfort for the future ..

I am proud of the performance steemit quickly overcome this attack .. !!

@steemed @Ned

Great response from a real person in charge. I applaud you and your team for informing the community so quickly.

Ned, thank you for 1) disclosing the nature of the issue, 2) promptly communicating and providing regular updates, 3) disclosing your defense strategy and reiterating that Steemit will maintain a zero-tolerance policy for criminal activity on a decentralization platform (this is absolutely critical for the future sustainability and growth of the Steemit ecosystem, especially in light of the recent dark web and related crypto markets; brand equity needs to be cared for) and 4) for ensuring that a more secure system is in production within 24 hours and for immediately containing the threat while doing your best to minimize impact to thousands of other users; the fact that the hacker(s) could only access 260 accounts is indicative of a unique technology structure that you have all implemented in Steemit; bullet proof!

I wrote a blog post on how timely and professional the entire Steemit team have been with its first hack;

Hi,Ned!Can you tell all in video?

I still want to put some $ to my wallet. FU hackers

encrypt the sh!t out of your keys ;) lol F 16, mine are like 30 digits long for the important ones

Kudos to the team for containing this quickly and being so transparent with it - congrats for that and thank you! Everybody should change password just to be on the safe side.

Im glad its only a small attack ned and the team are the best at what they do we will have to treat this somthing like a drill and come out the other side stronger and more robust as community

Great that you were able to contain it so quickly! Steem Power!

I like to see that you guys were quick to stop this attack I was impressed keep up the good work Steemit team.

Thank you for being honest about this. So many other coins and exchanges try to hide it from us.

Thank you for your hard work , we are here for you!!!

Thank You very much for letting us know and giving us information!
It's a pity that new innovative and growing startups are attacked by the dark forces of the net! But thats life. You'll have to expect this and be prepared!
I hope You'll find and solve the problems soon and are able to make steemit a better and safer place as a result!

I'm intrigued that the STEEM price hasn't been negatively affected by this yet. Maybe people are just used to cryptocurrencies getting attacked and stolen, and so they don't freak out about it quite as bad as they used to.

It hasn't been affected because all the exchanges have frozen trading

Trading is still active, just no deposits/withdrawals.

Are there short sale markets for Steem?

I think it makes sense for the price not be affected - this was an isolated attack on a few accounts with only a small amount stolen. The Steem protocol itself was never compromised. The faith in Steemit is still there as the team responded very quickly and contained the attack.

Even if the hacker got his stolen funds to Bittrex and was able to sell, $85,000 (128 btc) of sells would only drop the price by 2-4%.

The majority of all Steem is in Steem Power so it's secured against theft even in the event of a hack.

My point was about panic selling, not so much about dumped stolen coins.

Hopefully events like this do not happen anymore, because everyone has a comfortable start with steemit.

Great to see this being handled openly and professionally. Thanks for the update, cheers!

Thanks. How should we change our password. On the permissions tab I see 4 distinct keys. Thanks !

Thank you for the update!! Good to have you back!!

Sadly this is starting to get to frequent in this "blockchain thing". Like in The DAO, another hack happened. Thanks for the info, and hope you can find the guilty, and recover in a smooth way from it. This project seams promissing, and the idea of it is purely awesome.

Success is always targeted, keep up the good work!

how can we tell if our account was compromised and if they got into it i just checked mine and nothing is missing at all

I take things like this extremely seriously. (But, then, I take everything extremely seriously.)

I have a fair few tools for hardening websites against intrusion and have previously developed software for secure sites. Unfortunately, Javascript was not an area I focused on. However, anything I have should be considered at your disposal.

yeah but the reason steem was targeted in the first place is cuz there just like bitcoin and people are making money faster steem is ranked third in cryptocurrency but i think people get it already

Hope it's true
And in general, I propose to establish a fund. To combat by such attacks and payment improvements. We must not let history as a dao

join to for discussions

85,000 dollars isn't to bad compared to what has happened to other crypto-currencies.

Very important to distinguish the fact that Steem itself (the blockchain technology) has not been hacked. The website on the other hand is vulnerable and perhaps more effort should have gone into checking it but then no one expected Steem to rise at the rate it's rising so maybe there wasn't enough time.

Good job containing the attack and resolving the issue.

I hope everything will be fine and you will cope with all the obstacles that stand in front of you.

That's when you know you're doing something right... the moment someone tries to tear it down ;]
Keep up the excellent work, this will only help fortify the community & platform. Thanks for the 'security check' douche-bags... whoever you are.

steam has gone up too fast on the podium of the criptomonedas and should work more on security. it seems incredible that after what happened with The DAO not appropriate action is taken.

Its a funny world when due to the mass theft in recent times, $85k is a good result.

This is something that was missing in our world. Great idea.

first website in the history, a company admits that accounts were hacked. I like it!

Thanks for the announcement.we feel more secured now

They probably dump whole website database, can you force password reset? but you didn't find the hole at what i get, so even if you reset hacker will be able to compromise the accounts again?

Good job!

Thanks for your steem teem, i worried very much but quick decision & solution was reliable to us. ..bittrex too.

Nice to know the SteemTeam we're onto this so quickly, and it's been taken so seriously!

nice job steem! protect us

Hey Ned, We really appreciate your quick response and transparency on what happened. Honesty is always the best policy and this speaks to the people behind Steem and why I am even more excited about then ever before!

Ок бро! будем стараться делать все правильно!

Transparency & Integrity

Ned, thanks for the info. Having only jumped on board in any real way with Steemit today (an intro post), one thing that strikes me by and large in the crypto industry is transparency, and the communal willingness to shape a pro-active and fair outcome. Everyone has an opinion, and many the willingness to express it, for me that is great stuff.
Many folks that I advise to start adopting crypto's point to hacks, and the loss by many of much. What they often fail to recognise is how badly the banking industry is constantly under attack. Very little if this makes the public ear, for obvious reason, loss of faith in an already damned industry.
While the powers that be point to having to control the masses, I point out how a consensus based community reaches a fair compromise. Ultimately, humanity will out and I for one appreciate that in a brave new world, a willingness to reveal weak links, will in the final analysis, grow a stronger chain. Kudos.

Great job on containing the attack. When good is happening there will always be the bad that is going to come after it. Lets get back to steeming and grow.

самое время закупиться. думаю спецом это сделали. курс падает для серьезных дядек -инвесторов так что ждем монетку по 1steem=10$ а дальше вангую движуху как у биткоина. Закупаемся!

Wow that was really unexpected to me...never thought that someone wuold hack website like this.

back up and running in 10 hours :D great job lol just a hick up when compared to the ETH/DOA fiasco.

Cheers to you guys

самое время для закупки .ура!

When i goto submit story, it wont let me post mine, the " Post " button is un-highlighted..
Andyone know a fix for this?
Please help me !

Great job @ned and the rest of the development team for the fast action on this attack! Really appreciate it!

i have 24 votes on a youtube video and got 0,02 dollar for it. is that right? i allso got a text with 19 votes and 0 dollar. :/

To all Steemit users:

If you have not done so already, please reset your account passwords. We ask this to ensure that everyone's account is secure. Remember that each account has 3 keys: an Owner Key, an Active Key, and a Posting Key. We recommend following best security practices by choosing unique passwords for each of these keys. This will allow you to safely use with your Posting password.

As mentioned earlier, any Steem or Steem Dollars stolen from compromised accounts will be fully refunded by Steemit.

Thank you all for your patience and support through this process and for your wonderful contributions to Steemit.

I dont post every day, but when i do the fkers cyber attack the whole network.

Steem should hire a hacker to stop a hackers , to all whales steemers dont give up on steemit !

called the cops, called the Fire Department, called pizza hut, called the USN, called the Royal Navy, called the Red Army, called the FBI. called the CIA, called Interpol, called the KGB, called the USMC, called the USAF, called the Royal Air force, called MI 6, called Scotland Yard, called the US National Guard of every state, called NYPD, called Obama, called the Queen, called Putin, called David Cameron, called every Governor of every US State, used my time phone to call Winston Church hill, As well as Hitler, Stalin, Theodore Roosevelt, George Washington, Montezuma, ever Caesar, and Gilgamesh, called US Army, called British Army in every era, called every phone sexline, called papa john’s, called the US Coast Guard, called my State Senators, called my Senators, called every republican in the US, called Dr. Who, called the Pope, called my local Gang lords, called the State Patrol of ever state west of the Mississippi, called all of my local news channels, called Star Fleet, called The Sun, called The national enquirer, called CNN, called Scot Pelly, called Steven Colbert, called half of the Mexican Drug Cartels, called Nintendo, called the Japan Maritime Self-Defense Force, called the head of the Illuminati, called ever free mason, called bilderberg, called my neighbors, called the mayor of ever city in France, called my mom, called the Emperor of Man, and called every school district in Canada.

As much as it can't have been fun to deal with, this is a textbook example of how to communicate with users about a compromise. Explain clearly and consisely what happened, how it affects users, how it was resolved, and what you're doing to ensure it doesn't happen again.

Account hacks are never a good thing, but I actually feel quite adequately reassured that both this platform, and the steem currency are in good hands here. Great job, admins!

Any news on the reason for the second outage? Was it just the implementation of the Hard Fork?

Great job @ned and the rest of the team. Good action taken to secure steemit.

Website is still glitchy.

сайт этио фигня.главное что блоечен йработает без проблем. азначит скоро на луну полетим

Thanks so much @ned for fixing the problem so fast and for all updates on slack ! So , you reported to FBI . Do you really think this would help this platform . Just wondering .

It would be best if there is an aunthentication needed before accessing the account. Having a Two-way step verification is highly suggested.

I second this, I use it on every site that has the option to.

Very interesting! I like it!

Is it ok to post steemit icon and promote .
yes or no

Not sure why so many people are upvoting this...

maybe, because he/she have good reputation or the team steemit.

i think your announcement dont make steem going stable
my advice fix the issue ASAP
i repeat ASAP

we dont wanna see DAO effect part 2

This is awesome.. fair play steemit that really is awesome!

I feel more confident using this space with things like this addressed head on.

Well done!

Coin Marketplace