Steemit is proud to announce that account recovery is now available for community members whose accounts were compromised during the July 14 hack. To recover your account you will need to complete the following four steps:
- Click the "Account Recovery" link at the bottom of this update.
- Enter your old Password.
- Login via Facebook, Reddit, or provide your email address.
- Enter your old Password again, and then provide your New Password twice.
If you logged in with Facebook or Reddit your account will be immediately restored. Steemit will contact everyone else with additional confirmation instructions.
Steemit will be unable to recover your account unless you know a password that was valid within the past 30 days.
Please note that due to our implementation of enhanced blockchain security, new passwords must be 32 characters long. Ensure you use a combination of upper and lower case letters, numbers, and symbols. We recommend using a password manager (pcmag.com).
Returning Stolen Steem and Steem Dollars
The Steemit team is finalizing its analysis of the cyber attack and determining exactly how much Steem and Steem Dollars were stolen from each account. Once we have completed the full account of lost tokens, we will reimburse every compromised user as promised.
Thank you all again for your ongoing patience and commitment to the Steemit community as we process your requests. We are profoundly grateful.
-- Ned
Thank you for pointing out the need for a good password manager. Some of my friends think the world isn't ready for public/private key encryption on a mass scale, but I like to remind them how at one time many saw email as too hard. Now it's second nature to just about everyone. Internet users can and will skill up and hopefully Steemit will help. If we want to build the economy of the future, we have to up our game, including the latest security updates on our computers, up-to-date anti-virus software, and a good password manager. Let's lead the way to the future economy.
Steem on.
This is a 2nd chance. Don't f up. Change PW and use something secure mix of up and down, special chars etc. Write it down and store it somewhere safe. In support, you wouldn't believe the amount of people that forget their passwords and can't recover their accounts because they didn't set up recovery questions or kept a copy somewhere safe.
If human beings are coming up with the passwords instead of a good password manager, they are already at risk. But yeah, password security is hard. (Cue XKCD post here...)
Its nice though not to be as worried about it as much as other cryptocurrencies, as long as most of your Steem is in Steempower. :)
5 times.
(And in 1 sentence. :D)
As one who has seen many exchanges get hacked, I completely agree. As we move forward, we have to act as if we're our own bank.
(dang it, only got 3 "as")
I don't think I've ever used the word "as" 4 times in two sentences before.
If they are using the web interface, the web interface could "cut" easy to guess passwords by requiring long password at least X chars, containing symbols, numbers, letters, caps, etc.
Haha, that's true, buddy. :)
SCREW YOU ALL!!!!! https://steemit.com/investments/@resten/so-i-finally-realized-i-m-a-total-useless-idiot-on-steem-i-m-leaving
I think a piece of hardware like the Ledger Blue wallet will have to become widespread as the crypto age ascends.
I am going for a 256 characters password! Just to be sure.
Perfect comment! We do need to step it up, I feel like a bimbo because I assumed I wouldn't get hacked.
Then I did...
Lastpass with yubikey has been amazing for me. Makes 60+ character passwords no problem.
I went through the process but can't login via the Owner keys to change my passwords...Is that intentional?
Yep! You must login with your posting key first and then go to permissions page and click to "change password" then they will ask for owner key if you want to change it.... They just want to be sure nobody logged in with owner key and are browsing steemit's content! And that is fabulous!
I'm somewhat confused, I restored my account and logged in with the new 32+ char password, but all I see in the permisions tab is this...
Posting Key ===>>> Show Private Key
Active Key ===>>> Login to Show Private Key
Owner Key ===>>> absolutly nothing!!!
am I supposed to login again(second time) with the new 32 chars key?
and most important of all, do I need to change the owner, active and posting keys or the restore function did this for me already?
Thanks
All keys changed with the restore function. Next time login with the posting key for extra security!
https://steemd.com/@chryspano/~owners
I like more keepass and it is really free, and more than that: it is open source (OSI certified). http://keepass.info/
I use keepass too, but a lot less as I moved to doing a lot on mobile. Has keepass made it easy to use on Android?
Thanks for all the hard work. It appears I'm back. I know the devs worked day and night. They deserve bottles of champagne. Or Mountain Dew, as I can't picture a dev drinking champagne for some reason.
I pictured them with Red Bulls. :D their veins flowing with 50% energy drinks until the security is up to speed. :)
Hey, thanks again guys for your hard work!!!
I've recovered and changed my password.
Side Note...
You stated that "New" passwords will need to be 32 characters. Is this mandatory or a suggestion???
I bring this up because my new pass is 28 characters and the system allowed me to keep moving forward with it. So if it's suppose to be mandatory you may want to look into this?!!
I'm going back and changing my, now that I've read your post.
Thanks again @ned and @dan
This is a HUGE deal. The fact Steemit was able to resolve the issue of accounts being hacked and return them to their rightful owners in a relatively short time span makes me feel much safer about continuing to invest and use steemit
So much quicker than "ethereum soft fork, okay lets try white hat attack, okey lets just hardfork".
I agree.
What does that mean for people not affected by the hack, who managed to have there owner key cold/offline and don't need/want a account recovery option via steemit.com?
I noticed the field
"recovery_account": "steem"in my account data (not sure if it was there before the fork). Is that the account that can recover my account and can I remove that or switch that to a 2nd account I (or a person I trust) control?Not to be skeptic of steemit team or something, really love what your doing here! I'm just curious about how things work and my options.
Hi that is the friend factor / trustee element of Steem. It has no authority to take ownership of your account, however, it cane used to identify you and help with disaster recovery in the case of a hacked account. It's described here: https://steemit.com/blockchain/@dan/steemit-releases-groundbreaking-account-recovery-solution
Thanks, I some how seem to have missed the main post about the recovery mechanism.
Love all the work you all are putting into this. Revolutionary for sure.
lost ownership of account. all I did was reset password. tried recovery it said password not used in last 30 days. i used it every day. please help
Yes, thankfully accounts that were hacked can be restored now.
Good luck devs!
It worked!!!! I'm back!!!!
Awesome! If you want to cash out any of your $740 steem dollars, it might not be a bad plan so you don't lose it all if you get hacked again. Write-up of steps lives here.
trevon nice!!!! good luck man been watching your vids A++++++++++
Good to have you back brother i remember when i first saw your videos youve come a long way in a short space of time well keep up the good work
Finally no more whining in #general! :p
@Ned/@Dan right about now.
@dan and @ned: do I need to hit the button 'change passwords' to change all the keys? I recovered my account.....this part is not clear to me.
Ok good, it appears you are back in, and the password change updated all of your keys.
not so clear to me either. i recovered the account and have a new master password but once thats all done do we go and change the rest of the 3 keys as well, posting active and memo?
You can, however, there are more security measures in place now.
@ned dude thank you for everything
yup I second that @ned, thanks. You guys saved my account!!
Could you please elaborate on how one can change the posting brain key and perhaps print the private owner key? Thanks!
Under permissions, one can choose the pencil icon for changes, and the key can be copied to a text file for printing.
Thanks @ned, but there is no pencil icon anymore. Before the hack I remember seeing the pencil icon after pressing the bold black text to login... Now there is a blue button to login or show the private key on the right side of the keys... but it is not possible to show the private owner key anymore like before... and it is not easy to use steemit with the posting brain key being the same like the owner brain key...
I pressed the "change password" button below which changed all the keys... but still I do not get the options like the pencil... the security team seems to have changed this permissions page...
It is the same situation for me. The account recovery process seemed to work but there are no icons next to the private owner key, which makes me unsure if I am actually logged in as the owner or not since I see no way to change only the owner password. I am not sure if I should use the "change password" option again? The last time I did so, I still did not see any pencil option or any way to change only the owner key. I'll watch the site for answers/updates, thanks!
Thats correct, one password change on the Steemit GUI will now change all four keys. A user may manage each of the four keys outside of Steemit or using his/her password manager, such as Last Pass. Combined with 'Compromised Account Recovery', the single 'Change Password' is a balance between secure key management and usability. We'll be publishing and pinning more info on Steemit GUI's security and password manager in a post.
Really 32 characters eh? That’s going to make it hard to remember.
I'm tearing my hair out. YOU AREN"T SUPPOSED TO REMEMBER IT.
Repeat after me: If you can remember your Steem password, you will almost surely get hacked!
To Steemit devs: you need machine generated passwords. You cannot trust regular users to do the right thing. You need to force their hand. Damn the user adoption hindrance. It is the moral thing to do.
Good point, but i actually don’t trust machines. I’ll add all my pets name together and make something from that..lol
My pet is a parastratiosphecomyia stratiosphecomyioides.
What do you usually do to remember stuff?
Do that.
keepass can remember it for you....
Awesome work guys! Now get some much needed sleep :-)
CG
This Steemit team is really awesome!
Congrats on a breakthru differentiation and congrats again on staying in front of your customers. Awesome product and service!
I did not get my account compromised but i got my SBD and Steem stolen so I hope I get everything back. Thanks ned and dan for taking care of us steemers.
Hi, if your tokens were stolen and no keys were changed, then you must update your owner and active keys immediately for us to look into possible theft.
Upon examination, it looks as though your account is compromised. You will need to go through the account recovery process immediately. Thanks for your cooperation.
@ned, Sorry for hi-jacking this comment. I'm also an account with lost funds, I've reset my password and recovered my account. Is the refund automatic, or do I need to do something?
Wow, I saw a few days ago that you were working on this solution...and in my opinion you've delivered in quick fashion. Make these new passwords strong and don't lose them.
yes @blackjincrypto account is back thanks @ned
This is how things should be done.
Dear: @Ned, "steem" CEO of Steemit
You must pay back the steem power that I've lost because your system has caused. You pay for me, because you were defending the interests of the Steemit community
@Ned, "steem" CEO of Steemit. I am waiting for your reply.
https://steemit.com/steemit/@tonyson-ned/ned-steem-ceo-of-steemit-you-must-pay-back-the-steem-power-that-i-ve-lost-because-your-system-has-caused
It would be righteous if you could setup a 2 or 3 factor authentication that would allow any user to roll back any transaction if all of the factors are met. This would exclude a escrow type, or have a time period - a claw back of sorts.
We all know the blockchain is not immutable, if you do not want it to be...
2FA should have been implemented from the get go.. No we need to fix all security issues and stop the cheaters.
Does anyone know why steemit has the only wallet on the internet that does not offer 2fa? Is there some sort of technical limitation that I am unaware of here?
I'm not sure if and how classic 2FA would work her. As I understand it steemit.com is just front-end for the blockkchain and does not handle classical user accounts and authentication on server-side.
You basically enter your private-keys (or the pw to create priv-key from) in your browser and then sign transactions (like upvote, post or steem transfers) with that key in your browser.
In a way it already has sort of a multifactor-auth with the role specific keys,.. just remove the owner and action key from your browser and the worst thing that could happen if you get hacked is someone posting/upvoting with your account, but no steem transfer without owner/active key. I even put my posting key on my mobile, which I normally not trust with cryptos.
very fast,Dpos is grait.
And yet again more proof steemit isn't slowing down anytime soon.
Agree! We will be dashing for the moon. ;)
YES!
It worked. Just recovered my account.
Thanks so much to the team!
Hello everyone. I just wanted to thank you all for creating this great community and wanted to mention my own efforts into making it the best: http://steem.ly/f We created a shortening service dedicated for steem! @doyourpart
Awesome, thanks @ned for the update and new tools!
Is this the minimum length or the maximum ? If not, what is this maximum length ?
Min length. Going forward we will actually be enforcing full private keys as password.
Woowhoo! I'm back. Thank you Ned and team for the hard work, and the blazing fast communication!
Never had a doubt in my mind! Lets get those accounts recovered and backed up!! Thanks again to the Steem Community!
This is how we do It! Great! Good job stuff! TO THE MOOON!
I have to say I'm surprised by the professionalism and support from the Steemit team, its better than I could have ever hoped for! If it remains like this I see a bright future ahead of us for everyone!
Great job @ned and the others! I can't wait to tell more people about steemit! Was even planning on putting an article in my local paper this week, will make sure to do so now! :)
Good job @ned and co. This will be really good news for adoption! Just like with ethereum you took care of the hackers and fixed everyone's accounts! Awesome!
Or when mt gox lost 880k btc and then everyone got it bac .. oh wait, nevermind.
I wonder how many private keys he has forgotten in jail.
thanks but a lot of passwords to 32 characters so far this safe.. thank a lot and fanie is back :)
Fantastic work and awesome updates during this entire time. I know I'm just a "fish" amongst several whales and dolphins, but wow.. I'm addicted and I'm in love in Steemit.
Amazing!
and two-factor authentication when do?
deleted comment
love this company! All about that blockchain.
Worked great thnx. 3 Cheers for Ned! :)
Ned - next time you need to post an update, we can totally use my account.
Now you guys are just showing off, nice speedy work gentleman.
Loving your work.
Can i recommend using the login App called CLEF ?
It resists keyloggers at least, since you are not typing while logging in.
And it's a changing algorithm so it is a 2 Factor Authorisation by defaut.
It's also easy for a site to provide it as an option alongside normal login.
Look it up: https://getclef.com/
sounds pretty easy for me. Good job at the steemit Team!
Thank you for the update! What about owner's private key? Is it still not available? Are transfers not possible yet?
Here's another good password manager I've been using for a while and really like - https://lastpass.com
also if you don't have an add blocker - Get One ! It Will Change Your World - adblockplus.org
LastPass is a great option, but another lesser-known one is SuperGenPass.
What would be truly fantastic, though, is if Steemit implemented SQRL. This password-obviating authentication mechanism seems to me to be best of breed: powerful, secure, with contingency plans if you lose your keys, etc.
Are there still problems... ? https://steemit.com/steemit/@iamwne/steemit-again-has-outtages. Is there still a security problem or DDOS?
Great Support for us !!!!
thank u steemit :D
Thank you!
i have a problem . i sent my steems wrongly with wrong memo ( my steemit memo to poloniex ) so how i recover my steems ? from steemit side or poloniex side i have to seek solution ?