Important Security Announcement: Steemit CEO Ned Scott

in #steemit8 years ago

Steemit was today subjected to a cyber attack. In the attack, fewer than 260 accounts were compromised, and less than $85,000 worth of Steem Dollars and Steem may have been stolen.

The hack has now been contained. User accounts and wallets are not at risk, and we hope to soon reactivate the Steemit website to normal order. Any users whose accounts were compromised will be completely reimbursed.

Though only a relatively small amount of Steem was stolen, we take any form of criminal activity against our community extremely seriously. We have reported the hack to police and other cyber crime authorities, including the FBI. A full, internal investigation is currently being conducted and we are working on an immediate solution.

Partner exchange Bittrex was informed of the compromise and is actively helping the investigation. As a precaution, they have temporarily suspended the ability to deposit or withdrawal Steem and Steem Dollars from their exchange. The suspension will be lifted as soon as possible.

Thank you all for joining us on Steemit. We apologize for the temporary disruption of services and look forward to resuming operation of our social network.

Regular updates will be provided here on Steemit.com

-Ned

Sort:  
There are 3 pages
Pages

This article should mention that the Steem protocol (the "coin") was not hacked, nor was any smart contract running on top of the Steem protocol. This hack is a website hack where a hacker stole funds and account credentials, and not a hack on the coin itself, at least according to the best information available when this article was written.

The Steem protocol (the "coin") was not hacked this time . I own steem coins and would like to move them off line to a wallet to store safely but alas I cannot find a wallet if someone knows where , I would appreciate a link .Thanks in advance

Have you looked at Bitshares Openledger? They let you buy and sell OPEN.STEEM that you can then turn into anything of your choice via a service called Blocktrades. You own your own wallet in form of a "brainkey". The Openledger network run on a MIT designed blockchain dubbed Bitshares and is backed by BTS (underlying currency is Bitshares) i am coindup-hasho on OL
use my referral link https://bitshares.openledger.info?r=coindup-hasho

My recomendation would be to join Github but this is what I found https://www.offgamers.com/buy/steamwalletcard.html

Very good point - the platform itself was not compromised, which is great.

Which also means that a hard fork can't fix it.

I'm glad to see that too. Platform should develop no matter what happens.

Do people with big holding should consider changing their owner's/active keys?

My guess would be whatever key you login with may be compromised, but I have no clue as to the hack details.

The lesson (re)learned is to use a secure password that is difficult to guess. Also, I am hopeful that two factor authentication makes its way here soon.

Do you know how the attacker got in? I assume they altered the javascript to exfil private keys, yes? How do you know how many accounts were compromised? It might be wise to cycle everyone's keys at this point. I'll definitely be updating my posting key.

Yea, I was thinking something along these lines as well. XSS to grab a js token. I haven't looked into the site code, but I seriously hope they're not using js tokens and are instead using http only cookies.

At least is now been compromised, and from this experience Steem will up lift there security. Lesson learn.

Now that steemit is in everyone's crosshair, #3 on the top cryptocurrency list, we need to take development and security uber seriously. We should have 2factor or phone based ( coinbase does this) security features. Thanks for your updates.

and a account page so we can link our email and be able to change our passwords and forget my password to the site

that does nothing for site security, and actually puts individual users at a higher risk as now their email is now an attack vector

I could not agree more. Now that the solution has scaled and already has a dedicated consumer base of thousands of users, it will immediately attract unscrupulous eyes and unwanted attention as hackers will be interested in extracting some illegal value for themselves. Any cryptocurrency with a Top 5 market cap needs to be especially careful, not just from an authentication standpoint (some users have suggested implementing a two-factor authentication module for Steemit, which would help but that is only the beginning), but also from a regular site audit standpoint; these cryptocurrencies need to invest in the proper business continuity planning and disaster recovery management solutions, as well as ensuring that they have access to cyber security and digital threat forensic experts to help 'stress test' the system. This is only the beginning and there will be more and more attempts going-forward.

One last point worth mentioning, the actual Steem cryptocurrency was not impacted or attacked in this particular incident, it was only the Steemit.com website and that has since been corrected by Ned and his team.

Long live Steemit!

I dont think 2 factor auth would have helped in this scenario. It seems like the server hosting Steemit.com was compromised.

Unlike other crypto, Steemit's cryptomoney is mostly custodial. Since Steem Power is locked up for 2 years, that may greatly slow down a hack but like the DAO has shown, a slow mo train wreck is still messy. This platform is way too cool to go down in flames. We really need world class security going forward.

Don't forget, the Shapeshift theft was by an insider. Yuge lessons to be learned there too.

2 factor definitely. This was a wake-up call to get serious. You can spend a lifetime creating a good reputation and loose it all in 5 minutes.

And if anyone on Steemit is re-using passwords... please stop doing that. I bit the bullet a while back and started using KeePass (open source) password manager. I have mega strong passwords on my Steemit keys and everything else important these days, and so should you.

Remember, your Steem Power and bitcoins just may be your retirement fund.... protect them!

How did they hack those accounts? Key-logging so they knew people's passwords? Or did they harvest stuff from reddit, and the users who were compromised used the same passwords as their reddit? And will the people concerned be able to change their passwords?

my respect for being honest and clever about this - I´ve informed the millionerds of https://stakepool.com about it - they are happy as well.

We believe in you guys, keep on keeping on!

millionerds

Maybe the Steemit website needs 2FA? I was wondering why it wasn't an option for my profile?

I mentioned in the Slack channel a week ago or so that I was concerned that we are starting to pile up funds and we could become a target like the DAO, I suggested 2FA and limited login attempt security, I haven't tried but I don't think you get a time lock if you enter the wrong password too many times. Also articles that provoke other media platforms are dangerous and makes us a target while we are still in incubation.

The coin price remained stable luckily and most of the damage contained..

Regards,

Ricardo Goncalves (BNC Steemit Community Manager)
sig_bravenewcoin_sml

Correct me if I'm wrong, but 2FA does not protect against cross site scripting attacks, does it?

Hi @Scrawl I'm not a dev so can't answer that. Thanks for bringing that to our attention though. Most exchanges use it, so in my mind it has some security benefits.

I totally agree 2FA should be implemented!

There are many ways to log in which are more secure. 2FA probably wouldn't have any significant impact on security. Multisig already exists and you can separate your owner key password from your poster key.

So I suppose you can improve on this technology by allowing a third party to hold a backup key in case something bad happens or something similar to this.

How about limited login attempts to prevent brute force attacks? Someone could possibly hack the main owner password if not set securely enough by the user? What do you think?

I am new here, but excited about the project. Is there a guide somewhere that explains the best way to secure one's Steemit balances, especially if they grow somewhat large? Or is it just a matter of using strong passwords? Where are my private keys being stored when I sign up? Any other security tips would be greatly appreciated. Thanks!

I'm probably not much further than you are in this new platform, but you can find your keys in wallet/permissions. I changed the passwords that access my keys this morning. I use a password manager (KeePass) and the are strong passwords, but easily accessible to me on any of my gadgets.

I'd like to know the difference between 'active key' and 'owner key'. Anybody?

I consider measures like these a must, I develop a number of crypto services that hold users funds, security, even the basic stuff, cant be taken lightly. My general guidelines tend to be, dont inform password/username is incorrect, simply state invalid credentials. lock the account for 5 minutes after 5 invalid login attempts, dont notify on the login screen that this has taken place, notify the account owner via email. Enforce strong passwords. I tend to be making 2fa mandatory now also.

Or completely overhaul the login system all together, I demo'd a proof of concept user registration/authentication system using Jumbucks addresses and cryptographic signatures, all wallets have this functionality. user provides a username and address on sign up, nothing else is required (email optional if they want notifications), user verifies ownership of said address by signing a random token using their wallet. to log in, user enters username, a random token is then presented, they sign token using the address they provided on registration, and boom their in.

I was wondering why this wasn't an option also.

You're not legit until someone tries to hack you these days :)

You guys are kicking ass! Keep doing what you're doing, and keep building a fantastic community.

Transparency in this type of situation is more than we can say about the US government these days :)

Cheers!

hahaha so true :D

Welcome to the club!
-The DAO

I can imagine the DAO hacker saying "oh boy, just nabbed a boat load of Steem Power... in 2 years, I'm gonna have some real fun!".

See this here is the kind of transparency not normally seen in crypto. Bravo you all. Bravo.

Thank you for your quick actions. My immense confidence in you and your team has only increased as a result of your handling of this situation.

This post and the way the Steemit team, handled the incident are admirable. With the current userbase numbering 26,000++, we should all realize that Steemit is comparable to the featal stage of human growth. Weakness and attack vectors are important to be identified and rectified. it is much, much better to discover these ASAP, instead of having them in the future when Steemit userbase has beaten FB's 2,000,000,000++ registered users, which by then this kind of attacks would already be gigantic, if not devastating things to resolve.

So I would like to congratulate @ned, @dan and the whole team instead, for having handled the situation with a lot of grace and by doing so, might have mitigated future bigger attacks.

Here looking up on you guys. -east

Thank you for the great communication. Finally back on, I was having withdrawals and I've only been here a couple days.

Glad to see the site back up and running! It's quite commendable that you are reimbursing anyone who lost $ during this hack. It should inspire some confidence in people to stick with the platform for the long haul. If another layer of security could be added, it would be great! Cheers!

Thank you very much for confirming this and for your openness. Your ability to reimburse if needed also says a lot about your team. Respect!

Wow this is extremely disheartening, but at the same time it is given me more confidence in Steem. Why would you ask? Well it is simple, the hack was not directed at the actual coin, but rather individuals. These individuals probably had some security flaws already.

Anyways, I am here to stay!

Why was the Politics topic link removed during the hack? I find it funny that my article regarding Decentralized Globalization was starting to trend just as this happened.

Here it is: https://steemit.com/politics/@senseiteekay/globalization-through-decentralization-fixing-the-world

I'll give you an upvote for being slick lol

Seriously, this happened. And as of 6 minutes ago someone's gone and posted the exact same content.

https://steemit.com/steemit/@senseiteekay/something-fishy-is-going-on

This article is trying to coin my idea straight after the hack has been patched: https://steemit.com/anarchism/@keithsmih/we-don-t-need-taxes-where-we-are-going

This is some bullshit.

You are implying that the hack was somehow to stop your articles from getting traction?

Not specifically but I am implying that's what happened. The critical theory I posted is articulately laid out and dangerous to those in the high tower.

Guys, I'm not sure what kind of cyber attack it was but I think Steemit community has a lot of motivated engineers and security experts that could have potentially eliminated the problem BEFORE it really occurred.

Any plans to open the source code of Steemit website?

yeah whats up with that

I can recommend https://zensoft.io/solutions/blockchain experts in security and blockchain development

@ned we're all here and waiting for more information from you, we hope the news is good for the future steemit, cheers

Wow. How much sleep did you guys had in the last 24h?!

Looks like you've handled things well, that is a very small amount stolen.

Would be interesting to know how they got in, was it a cross site scripting vulnerability?

This hack is a good example of why we need more clients for Steem, preferably open source. Steemit.com being the only usable portal into Steem is hampering the decentralization aspect. Is there someone working on alternative clients?

Let's hope... As awesome as steemit is, there needs to be more decentralized platforms to utilize.

STEEM: The only website in history that made (as of this writing) $1,651 off of the announcement admitting they were hacked and accounts were compromised. #legit

Bahaha so funny

I hope Steemit Can be tightened, for the convenience of the public and provide steemit better comfort for the future ..

I am proud of the performance steemit quickly overcome this attack .. !!

@steemed @Ned

Great response from a real person in charge. I applaud you and your team for informing the community so quickly.

Wow. Thanks for the teamwork Bittrex!

Ned, thank you for 1) disclosing the nature of the issue, 2) promptly communicating and providing regular updates, 3) disclosing your defense strategy and reiterating that Steemit will maintain a zero-tolerance policy for criminal activity on a decentralization platform (this is absolutely critical for the future sustainability and growth of the Steemit ecosystem, especially in light of the recent dark web and related crypto markets; brand equity needs to be cared for) and 4) for ensuring that a more secure system is in production within 24 hours and for immediately containing the threat while doing your best to minimize impact to thousands of other users; the fact that the hacker(s) could only access 260 accounts is indicative of a unique technology structure that you have all implemented in Steemit; bullet proof!

I wrote a blog post on how timely and professional the entire Steemit team have been with its first hack; https://steemit.com/steemit/@bismail/what-happens-now-with-steemit-keep-or-sell-steem-my-thoughts

Hi,Ned!Can you tell all in video?

I still want to put some $ to my wallet. FU hackers

encrypt the sh!t out of your keys ;) lol F 16, mine are like 30 digits long for the important ones

good idea

Kudos to the team for containing this quickly and being so transparent with it - congrats for that and thank you! Everybody should change password just to be on the safe side.

Im glad its only a small attack ned and the team are the best at what they do we will have to treat this somthing like a drill and come out the other side stronger and more robust as community

Great that you were able to contain it so quickly! Steem Power!

Thanks for the explanation, excellent work

I like to see that you guys were quick to stop this attack I was impressed keep up the good work Steemit team.

Thank you for being honest about this. So many other coins and exchanges try to hide it from us.

Thank you for your hard work , we are here for you!!!

Thank You very much for letting us know and giving us information!
It's a pity that new innovative and growing startups are attacked by the dark forces of the net! But thats life. You'll have to expect this and be prepared!
I hope You'll find and solve the problems soon and are able to make steemit a better and safer place as a result!

I'm intrigued that the STEEM price hasn't been negatively affected by this yet. Maybe people are just used to cryptocurrencies getting attacked and stolen, and so they don't freak out about it quite as bad as they used to.

It hasn't been affected because all the exchanges have frozen trading

Trading is still active, just no deposits/withdrawals.

Are there short sale markets for Steem?

I think it makes sense for the price not be affected - this was an isolated attack on a few accounts with only a small amount stolen. The Steem protocol itself was never compromised. The faith in Steemit is still there as the team responded very quickly and contained the attack.

Even if the hacker got his stolen funds to Bittrex and was able to sell, $85,000 (128 btc) of sells would only drop the price by 2-4%.

The majority of all Steem is in Steem Power so it's secured against theft even in the event of a hack.

My point was about panic selling, not so much about dumped stolen coins.

Great to see this being handled openly and professionally. Thanks for the update, cheers!

Hopefully events like this do not happen anymore, because everyone has a comfortable start with steemit.

Thanks. How should we change our password. On the permissions tab I see 4 distinct keys. Thanks !

how can we tell if our account was compromised and if they got into it i just checked mine and nothing is missing at all

join to telegram.me/steemit_en for discussions

yeah but the reason steem was targeted in the first place is cuz there just like bitcoin and people are making money faster steem is ranked third in cryptocurrency but i think people get it already

Hope it's true
And in general, I propose to establish a fund. To combat by such attacks and payment improvements. We must not let history as a dao

There are 3 pages
Pages