First Update to July 14 Security Announcement from Steemit CEO Ned Scott

in #steemit8 years ago (edited)

After conducting further analysis and following hack containment procedures, Steemit has been able to narrow the potential number of compromised accounts. We can now announce that in the past few hours, the Steemit team has been able to coordinate with elected witnesses to secure potentially compromised accounts with balances exceeding $100 US. As a result, we can ensure these accounts are restored to their rightful owners. This process has been completed.

Within the next 48 hours, Steemit will begin to allow all newly secured accounts to reset their passwords simply by logging in with the same Facebook or Reddit credentials that were used to register in the first place. This easy process will work for the vast majority of the potentially compromised accounts. All of these account holders will regain full access to their funds and their original account name.

If your user account was not created through Facebook or Reddit, Steemit asks that you contact our support team at contact@steemit.com. We will be able to provide you an alternate solution. If you have any additional concerns about your account, please contact our support team as well.

The Bittrex team is completing analysis of our wallet. Once it has passed their rigorous compliance checks, they will reopen the wallet for deposits and withdrawals.

To all Steemit users:

If you have not done so already, please reset your account passwords. We ask this to ensure that everyone's account is secure. Remember that each account has 3 keys: an Owner Key, an Active Key, and a Posting Key. We recommend following best security practices by choosing unique passwords for each of these keys. This will allow you to safely use steemit.com with your Posting password.

As mentioned earlier, any Steem or Steem Dollars stolen from compromised accounts will be fully refunded by Steemit.

Thank you all for your patience and support through this process and for your wonderful contributions to Steemit.

-Ned

Previous Update Here

Sort:  
There are 2 pages
Pages

Confirming authenticity of the account posting this.

Confirming the authenticity of the account commenting on this account confirming the account posting this.

Giving suspicious glance at Confirmer and Confirmer of Confirmer.

ಠ_ಠ

Confirming the authenticity of the account commenting on this account confirming the account posting this.

Just want to Drop that here: Howto verify yourself and others properly with keybase to make verification more explicit and verifyable. Since you could be compromised, too. :-)

Confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this post confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this post

Don't forget to change the memo key as well. Personally, I like to use the same password for posting and memo for convenience, but I keep the active key password separate and normally not logged in as active. The owner key also has its own separate password and is securely kept offline.

EDIT: OP account verified. Thanks.

steemit3 is one of Steemit Inc's original mining accounts, and for now is one of the top 19 witnesses voted in by them for the hardfork to prevent any further losses of funds. https://steemd.com/witnesses

You got a point, maybe the author can explain. Steemit is however up and working, there is no reason to fake this kind of announcement.

Ned, thank you for 1) disclosing the nature of the issue, 2) promptly communicating and providing regular updates, 3) disclosing your defense strategy and reiterating that Steemit will maintain a zero-tolerance policy for criminal activity on a decentralization platform (this is absolutely critical for the future sustainability and growth of the Steemit ecosystem, especially in light of the recent dark web and related crypto markets; brand equity needs to be cared for) and 4) for ensuring that a more secure system is in production within 24 hours and for immediately containing the threat while doing your best to minimize impact to thousands of other users; the fact that the hacker(s) could only access 260 accounts is indicative of a unique technology structure that you have all implemented in Steemit; bullet proof!

I wrote a blog post on how timely and professional the entire Steemit team have been with its first hack; https://steemit.com/steemit/@bismail/what-happens-now-with-steemit-keep-or-sell-steem-my-thoughts

Thanks for your excellent work.

Our hardest times are also the times when we can evolve the most. This clean solution only serves to strengthen the trust users have in you and your team.

Full steem ahead!

You've done a really good job ! Thumbs up for managing this attack like pros.

I completely agree, I could honestly say that @ned and his team have responded more effectively to this isolated information security incident than most "too big to fail" chartered or international banks! Kudos to the team and kudos to the loyal community who stuck through to see the light at the end of the tunnel.

Love the transparency guys. Keep up all the hard work. We appreciate it!

This is a real Crypto-Currency site not like The DAO...
Fast , secure and refundable!!!!!Steem it UP!!!

posting key changed, thanks for the highlight!

Thank you for your hard work guys. We all love this platform and i'm honestly glad this happened so quickly, it would have been a much bigger headache further down the road.

I could not agree more. Better safe than sorry, and now that the solution has scaled and already has a dedicated consumer base of thousands of users, it will immediately attract unscrupulous eyes and unwanted attention as hackers will be interested in extracting some illegal value for themselves. The Steemit community does not need those headaches! Disrupting the legacy centralized social media tools is hard enough on its own!

Any cryptocurrency with a Top 5 market cap needs to be especially careful, not just from an authentication standpoint (some users have suggested implementing a two-factor authentication module for Steemit, which would help but that is only the beginning), but also from a regular site audit standpoint; these cryptocurrencies need to invest in the proper business continuity planning and disaster recovery management solutions, as well as ensuring that they have access to cyber security and digital threat forensic experts to help 'stress test' the system. This is only the beginning and there will be more and more attempts going-forward.

One last point worth mentioning, the actual Steem cryptocurrency was not impacted or attacked in this particular incident, it was only the Steemit.com website and that has since been corrected by Ned and his team.

Long live Steemit!

good to know the difference right? the steemit website got hacked not steem

I truly appreciate how upfront and transparent you guys are. It makes me very comfortable with this platform.

Thank you very much for resolving the issues! I can now promote #steemit among my friends without them facing the half-working site.

I hope I am not the only one here that doesn't know how to reset his keys... :/
anyone that can make a fast how to guide will get my upvotes. pls link it here too.

But I am old! and so much of the detail is gibberish to me :-( even after reading thru that link and writing it down.
I'll get my computer science daughter to help.

Another question, tho...what happens if I don't do this and just keep my current login to steemit, besides maybe not being protected? Are there any other reasons?

Please do get someone you trust to help you with the process.

You are lucky to have not been directly compromised in this hack this time (although it may still be possible the attacker has compromised you anyway yet hasn't acted on it yet, so it is important to update your passwords). Normally, if your password is compromised with the default setup after registering via Reddit or Facebook, it means your owner authority is also compromised. If your owner authority is compromised, you no longer own your account and no one can help you recover it (with the exception of hard forks but that is a nuclear option that is only justifiable to bring out for truly exceptional and massive attacks like was done yesterday).

So it is really important to have a separate strong and random password (you don't need to remember it) for the owner key and to keep that stored securely off of a computer. A perfectly decent option is writing it on good old analog paper and keeping it in a fire-proof safe (and having backups in other safe locations you can trust is smart, but make sure people you don't trust cannot see the information on the paper). That information can basically act as your passport proving you are the real gardenlady in case your computer gets hacked, so that you can recover your account and funds.

Lastpass is a great choice. It is smart to have password managers such as Lastpass generate the strong passwords for you and save/manage them. So you could use Lastpass to save your posting/memo password as well as store a separate active password.

Normally, you would be logged in with the posting password (see this guide for details). But you can temporarily log in (in a private or Incognito window for example) using your active password any time you want to do any operations other than posting or voting. That includes powering up or down, sending money to other accounts, using the internal exchange, or changing your active, posting, or memo keys. Then once you are done with that privileged operation, you can logout or simply close that Incognito window, and go back to using your normal posting login.

thank arhag. Right now I use lastpass to hold passwords, I was thinking that it's pretty trustworthy, and I have 2 levels of password protection just to open lastpass accounts. regardless, i will try to get help from said daughter :-)

oh, and i read somewhere that when you Power Down (which i'm not doing anytime soon) you'll need the separate passwords because we shouldn't Power Down via steemit? we should do it thru ?....oh, I didn't understand.

Thanks. It's really nice that you took care of this so quickly and are refunding the stolen goods.

Thanks for handling this. My account seems to be unaffected.

Create unique passwords that that use a combination of words, numbers, symbols, and both upper- and lower-case letters.

This is a very important news for everyone who invested in steem!
Shows the seriousness with which this is being treated cryptocurrency! thank you!

It is very kind and responsible of steemit to refund all the affected accounts.

Im done researching about the steem, and i have now fully understand the whole content of it. I think id settle on this crypto than the ethereum. :)

Loading...

Thanks for the heads-up

Good! thanks for your correspondence.

Hey, @ned, your linkg "Previous Update Here" at the bottom is not working.
Thanks for great job protecting steemit

Thank you for sharing. Helps keep confidence and sheds light on how steemit works in practice. Keep up the good work

Hang on a sec, reset passwords? How? call me dumb, but I can't find an option to do that in the Steemit UI

Good to see that quick action has been taken and the rapid provision of information.

Impressive response time!

Pardon me, but did you just say that you still have all the credentials used to create accounts linked from reddit\facebook?
Can you provide any additional information on how securely this account data has been stored?

we must keep a minimum set of data to prevent abusive signups.

Wow....hopefully this craziness is behind us now.

Do 2FA is not planning to implement?

Thank you guys for all your hard work, long live the Steem family!

:-D

CG

adding two factor authentication may help securing user account from thieft

There are 2 pages
Pages