How I Could Have Prevented My Account From Being Hacked
The Paranoid are Secure
I like to consider myself as very security conscious. I mean, com' on. I'm a mathematician. By definition, that means I am paranoid. So, when this hack occurred, I didn't know if my account was compromised. In fact, there were several mentions of hacks going on in slack. As such, I began the process of changing my keys when that happened. Alas, I was too late, and the hacker had managed to take over my account.
Mea Culpa, Mea Culpa, Mea Maxima Culpa
Now, first off, I had no one but myself to blame. I should have updated my key authorities ages ago. I did at some point but had some issues with voting (probably user error) after a change, and so I put everything back to one common key. BIG mistake.
If my account had been properly secure, I would have had all 5 keys to be different.
What Went Down
From the best that I could understand, I was logged into steemit using my owner key (which is a very poor operational security choice, since that is your MASTER key and is probably best kept OFFLINE) and stumbled across one of the pages with the XSS exploit. At this point, there was no hope, and my owner key (and active, posting, and memo keys) were compromised.
I had a power down scheduled on Thursday and sure enough the attacker managed to move my powered down Steem.
Who you going to call?
Developer Superheros
Fortunately, your neighborhood friendly blockchain developers at Steem and the team at Steemit had a solution in place in relatively short amount of time (some may call it too short and others not short enough). I confirmed that I had my account hack to Ned via voice (didn't answer, as he had more important business to attend to, but left a message), and then sent steemit an instructional email on transferring my account by giving them the corresponding public keys of some newly generated private keys. The email I sent was signed with my GPG key as a means of identity verification.
Steemit then transferred my account
1 Key to Rule Them All
Each account has 5 keys:
- Owner
- Active
- Posting
- Memo
- Signing
Now, the first 4 are in a hierarchy with Owner at the top. This means that anything that 4 can do, 3 can do and so on.
Owner
Your main key. Keep this offline. Secure in a vault. Dig a pit. Put it in a time capsule for your kids.
Don't put it in a safety deposit box at a bank though. They may be out of business soon with Steem knocking at their doors.
Active
2nd in the hierarchy of keys. Useful for power users and if your posting key is compromised.
Posting
For most accounts out there, this is the key you are using to post and upvote content. Guard it wisely.
Memo
You can, if you are so inclined, send encrypted messages on the blockchain to another user. Your memo public key and the person whom you are sending a message to are used in a shared secret scheme to encrypt your message.
Signing
This is used for signing blocks if you are a witness or a proof of work miner. If you mine an account, all keys default to this.
Conclusion
I could have saved myself a lot of headache if I would've swapped my keys early on! Here I am, supposedly security conscious, and I failed to do that.
Since the attack, I have since exerted complete control over my account. Wazoo.
You can save yourself a lot of trouble with the following cli_wallet command:
update_account YOURACCOUNT "{}" OWNER_PUBKEY ACTIVE_PUBKEY POSTING_PUBKEY MEMO_PUBKEY true
Keep it steemy.
This is great advice for anyone, even if it is just a reminder. The remedy to this situation is a testimate to the team, my hat is off to all who worked together in resolving this.
I agree, the response time, transparency, and overall professionalism of the team during this time has been phenomenal!
What are we supposed to do if we registered via facebook? How can I generate these different keys please and obtain my current private keys?
I've been wondering the same thing, and have been worrying about the security @complexring, can you help us?
Wait for more information from the team. There will be detailed instructions soon.
The devs have a solution on the way. The latest version, which has been reviewed and passes all unit tests, allows for account recovery and gives various authorities to either the top witness or to Steemit's main account. You'll see more details from the Steem team soon!
There will be additional UI changes to separate out user posted content and voting from the other roles. These could be separate site entirely. I would like to see Steemit use separate domains for these two sites.
Sounds like there could be additional security implications in giving more authority to witnesses or Steemit itself. Do you have any thoughts on that?
I think the 30 day rule for making transfers irreversible helps a lot. Also, steemit has an incentive to try to be fair and maintain account security, while doing so in a decentralized manner in the spirit of the blockchain. Not an easy feat.
Thank you for the info, I know the steemit devs will come up with a secure solution. Everyone is going to be happy, especially all of us who have been a part of this so early on.
good question
FINALLY ive been looking for a post like this but i cant find a search to search for anything on this site thank you very much for the tutorial
WE NEED SEARCH i cannot find ANYTHING on this site and browsing is rough
Did you try that little icon of magnifier on top right corner?
https://steemit.com/search.html
Thanks ...I like this one most ;-) "Don't put it in a safety deposit box at a bank though. They may be out of business soon with Steem knocking at their doors."
You learned the hard way - thanks for sharing what you would have done differently. I have no idea about CLI so I'm not sure how to update passwords just yet.
I've been trying to get this done for 8 days now !
If you want to security your wallet, you may to write your password in secret note and save it! If you forget your password, you can to be are one of unfamiliar for your own wallet!
Thanks for not only the detailed original post but also the follow-ups with all the users here. It's invaluable.
Just doing what I can to help make this an awesome community. There were many before me who paved the way and who did amazing posts on how to do things! Most of the answers people are asking for have been around since the early days. It's just tough to find the info now without a good search mechanism.
I have changed my owner key and my active key. i'm logged in just with posting but because i signed with fb am I still at risk?!
For some reason I cannot log into my owner account to change my password. I originally setup a unique strong password for each of my keys. I had not logged in to them since except to test the passwords I have documented. So after the hack everyone is warned to change their password. Today I try to log into my owner account to change my password and it says my password is wrong. Would it be better if I had changed my password while the exploit was actively running? It was a XSS vulnerability so logging into your owner account would have been a bad idea so I refrained from changing my password until today. Is my account hacked?
I have the same issue. Cannot log-in with owner credentials, only posting credentials!
Same here...can only log in with posting key and all my Steem is gone...only thing left in the wallet is 'steem power'.
Yeah that facebook/reddit solution is going to be righteous.