I'm Back!!! How my Account Got Stolen, How to Avoid Having This Happen To You, & How To Fix It!

in #stolenaccount7 years ago (edited)

I got locked out of My SteemIt exactly 4 days, 3 hours, and 36 seconds ago.

Ok, I'm kind of exaggerating. I didn't count it that closely, but it has been 4 very long days without SteemIt.



Why? How did I get locked out of my account?

Like a genius, I published my password in a post... wasn't very careful with my password. So, my account got stolen.

First off, I would like to give a shoutout to @aggroed and @drakos for giving me information on how to get my account back and for talking me through the ways to do it. Also a HUGE thank you to @someguy123 for recovering my account for me with anonsteem!

This is going to be a bit of a long post, but I think it's important to share this information.

stolenaccount.png

So, I will explain to you how exactly I lost my account, what I did to get it back, along with some tips to prevent this in the first place. This is some serious genius territory, right here.

How I managed to lock myself out of my account in the first place



In a short answer, I copy & pasted like a pro and didn't read my post over before I published it. I was intending to copy & paste a link, I pushed CTRL + V, published my post, and that was that.

And just so that you can fully comprehend the sheer brilliance of what I did, here is a picture to prove it:

brilliant1.PNG

Don't worry, that's not my password anymore. 😉 My password is a secret now. That is all I had to do, and I was immediately locked out. That's how easy it is to screw up all you have been working for on SteemIt.

SteemIt Bots



As soon as I published that post I was instantly signed out of SteemIt. No, I didn't even have time to delete the post or change my password. It wasn't even 10 seconds and I couldn't get back in.

And it felt like the world was ending, it was terrifying. I thought I had lost my SteemIt account forever, and that my last 3 weeks spent on SteemIt meant nothing. I thought I was going to need to start over.

In my panic, once I realized what I had done, I went back and tried to edit the post and the little "edit" button wasn't at the bottom of my post. Huh, that's weird, I thought. It was because I was already signed out.

The reason for this is SteemIt bots. There are good bots on SteemIt, and there are bad bots. And some of these bots are programmed to scan for passwords. If it is a good bot that does this, chances are you will be able to recover your account and won't lose your money. If it is a bad bot that gets to it first, you will be locked out and the chance is there that you will lose everything in your account.

I am fairly certain it was a bad bot that got to my account, but I got lucky. I got lucky for a few reasons:

#1: I didn't have a large sum of money in my SteemIt account. I only had a few cents in there, lucky for me.
#2: I had recently changed my password.

Which brings us to...

Change your password at least every 30 days!!

SteemIt cannot recover a password if you lose it. And there is absolutely zero chance of your account being recovered if you don't have your most recent password.

A "most recent password" is a password that has been updated within the last 30 days. This is what will allow you to recover your account, should you ever need to.

What happened when the bot stole my account, was it generated a new master owner key, thus locking me out and taking ownership over my account. Right after I got locked out, I checked my steemd and noticed something curious.
accountdata.PNG

Right when I published my post, it showed I updated my account data. I was like... ummm, no I didn't...

No. I didn't.

The bot did. That, right there, is the evidence that a bot changed my password and took authority over my account. I didn't do anything to my account settings that day.

But, if you have a most recent password, you will be able to recover your account and lock the bot out.

This works because in the account recovery process, if you have a recent password (and verification of your identity through email, or something else, more on that later), SteemIt will generate a master owner key to match your original password, from when you had authority of the account. This is because your password is stored in the blockchain for 30 days, with your account authority information. When it recognizes you have authority again, it will invalidate the bot's authority and lock it out.

Edited To Add: According to @someguy123, It is after 30 days since changing your password that the recovery window for your account is blocked. This is a built-in safety feature to protect accounts from hackers. So the biggest thing is making sure you keep your password somewhere safe so that you don't lose it, and making sure you have several copies of it is smart. How I understand it is you don't necessarily need to change your password every 30 days, but if you do it should keep your recovery window for your account open, in case you do need to recover it. So take that as you will, but I will DEFINITELY be changing my password frequently, just to be safe so that my account recovery window will stay open.



You can read more about account security here and here. Thank you @drakos for these links!

Again, this is why you need a recent password to recover your account!

Don't keep a large sum of money in your SteemIt account!



If I had just had a large sum of STEEM Dollars in my account, chances are, it would be gone by now. Luckily for me, I only had 92 cents because I am just starting to build my account and my following. So that must not have been enough money for the bot to bother with taking 😏.

So I would strongly recommend that you don't keep a lot of STEEM Dollars in your account at once. Once you get a pretty good amount I would either transfer it to STEEM Power, or cash it out. This way if your account ever does get stolen, you don't lose everything. I know I will be doing this.

Log in with you private posting key, not your master password!



I also learned through this mistake, something very important. Something I am glad I learned before I was too far into my SteemIt career.

If you are just logging into SteemIt to post and browse through posts, you only need to log in with your private posting key. You only need to log in with your master password when you are transferring money or updating your account settings. But if you log in with your private posting key, if you accidently make the copy & past mistake, it won't be quite as big of a deal. You should have time to edit your post and take it out, and it makes it harder for your whole entire account to get hacked.

To log in with your private posting key, go to your wallet > permissions and click on show private key to the right of POSTING. Copy & Paste that into your password box when logging in. It is infinitely more secure.

Ok, so, what to actually do if you do need to recover your account



First, stop panicking. Wipe your nose off and prepare to recover your account just as brilliantly as you lost it.
Also, prepare to be patient. This might not get you back into your account immediately.

There are a couple ways to go about this. Either way, you will need your most recent password and the email associated with your account.

First, figure out if your account was made with the classic SteemIt system, or if it was made using anonsteem.

I came to SteemIt as an UnFucker, and @aggroed was nice enough to sign a bunch of us up so we didn't have to wait for activiation. He used anonsteem, which @someguy123 developed and runs.

One way to see how you were signed up is to check your steemd. You can do this by going to www.steemd.com/@yourusername. This is also a great website to check your voting power and bandwidth.

On the left side of your screen you will see a chart with lots of information about your account. This is all public and stored within the blockchain. Look to where it says "Recovery Account". If you were signed up using anonsteem, yours will look like this:

anonsteem.PNG

If you were signed up regularly, yours will say Recovery Account: steem.

If you were signed up using steem, you have to initiate SteemIt recovery within 30 days of losing your account. To do this you will need to click the three-line menu at the top right of your screen, and click "Stolen Account Recovery". You will then need to enter your most recent password and the email address associated with your account. You also can do it this way if you were signed up with anonsteem, but there is a more effective way to do it, IF YOU WERE SIGNED UP USING ANONSTEEM. *

I didn't know about this option at first, so I initiated SteemIt recovery as soon as I got locked out. I still haven't heard anything back. Apparently SteemIt recovery is very blocked up, so it may take a while for you to get your account back this way. But if you do do it this way, you should eventually get an email back with a way for you to change your password.

However if your account was made with anonsteem, @someguy123 can recover it for you if you send him an email or a discord message or a steem.chat message. If you were signed up using anonsteem he is essentially the creator of your account, so he has the power to recover it. He will, again, need your most recent password and the email associated with your account, along with a way to verify your identity, so that he knows you really are the original owner of your account. Thanks to @aggroed to giving me the idea to contact @someguy123.

* EDITED TO ADD: You actually can't initiate account recovery through SteemIt if you were signed up using anonsteem... if you want to recover your anonsteem account, you have to recover it through anonsteem, which @someguy123 can do.

Getting My Account Back



Last Saturday, the day I locked myself out of my SteemIt account, I first messaged @aggroed, then following his advice I initiated SteemIt account recovery and messaged @someguy123.

@someguy123 got back to me earlier today asking for my most recent password, email, and verification of my identity.

Obviously email and discord aren't the most secure, so if a hacker can hack a steemit account, they could also hack them! So they only way for @someguy123 to verify my identity was to ask me for something no one else has access to.

My chicken. He wanted proof with my chicken. 🤣

One of my first blogs on steemit was about my pocket chicken. So he asked me to prove I still have my chicken by sending him pictures of my pocket chicken, next to a piece of paper that said "anonsteemzoey".

Well, I thought. At least he's being humorous about it 😂😂😂!

So, I sent him these pictures:
steemitchicken1.PNG
steemitchicken2.PNG
steemitchicken3.PNG

And, voila! He recovered my account.

I'm So Happy To Be Back!!!!



I'm so excited to be back on steemit, to learn and chat and grow with you all! I will definitely be more careful with my password in the future 😬

I hope some of you find this information useful! If you do, please upvote this post!

Also, thanks to @erinn for going around commenting on my posts to let people know about my stolen account! I have it back now!

steemit_signature.jpeg

Until Next Time,

~Zoey
1 unfucker badge.jpg</center>

Sort:  

Just a slight correction :)

"You also can do it this way if you were signed up with anonsteem, but there is a more effective way to do it, IF YOU WERE SIGNED UP USING ANONSTEEM."

You can't use the Steemit account recovery system if you didn't sign up via Steemit. If you used Anonsteem, the only way to recover your account is to contact me (email on the bottom of anonsteem).

When an account is created, a "trustee" is set to the account which created it, e.g. @anonsteem for accounts made using AnonSteem, or @steem for Steemit.com accounts. This trustee is the only account which is able to recover your account. No other account. So if it's made via anonsteem, only anonsteem can recover it, not steemit.

I don't know why they don't reject accounts when you enter them on there, a lot of people wait weeks for recovery from there, only to find out that steemit wasn't responsible, and now it's past the 30 day window and they've lost their account.

Change your password at least every 30 days!!

I believe my original article was wrong about this. When the owner key is changed (e.g. using change password), there is a 30 day window to initiate recovery using ANY previous owner key or password.

30 days after a password is changed, the recovery process is blocked, this is to protect against a hacker attempting to recover your account, and also to protect you against a malicious trustee agent. For example, after 30 days, you will actually be able to change your trustee to someone else such as steem, allowing you to recover your account using their service, instead of AnonSteem, or give it to a technical friend who you trust to recover your account.

How to change your trustee (by @themarkymark): https://steemit.com/steemit/@themarkymark/how-to-change-your-recovery-account

Ok, thanks for this! I will update the post with this info.

It's very interesting to know, because when I initiated recovery that way, it said someone would contact me and I still haven't heard anything back from them... glad I am not still waiting for that!

Glad you were able to get your account back, I'm actually surprised they are able to recover accounts at all once the password is changed, good thing you still have the chickens!

I was surprised they could fix it, too! I thought for sure I was goona have to start over lol. Yes, very good I still have my chickens!! :)

You are soooooooo lucky haha. I am happy for you that you got your steem account back!

Aaaand that there is a solution for getting your account back. I resteemed your post for others and my self so I can look back at my resteems when needed :P

I have to say that this a story you probably never forget about hahaha

Cheeeers

Thanks! I'm glad you find this useful and think your followers will too :)

This is a post worth reading. I smiled when you say it is not a quick fix, wipe your nose and get back to business.
thanks for the idea of changing your master key every so often like 30 days.
Keep on steemin'

Thank you! I'm glad you find this helpful!!

That’s scary for sure! Glad to hear you got your account back! I will Resteem the thisnpost to help get more info out there about account recovery! Thanks for the post!!

Thank you!! I'm glad you find it useful!

It IS scary! I mean, I was paranoid about checking my posts for passwords before this happened, but I had no idea. I still thought you at least would have time to fix it, now I know better!

Thank you for sharing this story, I did not know there were bad bots!

Tough lesson to learn but at least it has a happy ending. I only confirm peoples accounts by chicken pics too.

Yes, it was tough lol. But I am happy I learned that lesson before getting too far into my SteemIt account! Also, yeah, I thought it was the most brilliant thing ever!!!

Congratulations getting your account back.. and thanks for these great info 🙂
@josteem

How horrifying. I can't imagine how panicked I would have been or the intermittent phases of anger and sadness. I am so glad you fixed this, and your write up on this is one of the most important posts I have read since I have been here. I apologize that my upvote is not worth anything, as you deserve thanks for sharing your ordeal.

Blessings to you and yours.

@masterbot has been called by @practicalthought to give you 4.09% upvote!
Check this post for information about delegation. Make me strong!

Hi @masterbot,

It seems you got a $35.8914 upvote from @masterbot at the last minute before the payout. (14.17h) and this comment is to make everyone aware.

Please follow @abusereports for additional reports of potential reward pool abuse. Thank you.

Uhgg. sorry Zoey, that upvote was meant to be for you. This was the first time I tried using an upvote bot on someone else's post. I got the idea earlier from a post I read. I will try again in the next day once I have more steem, only on a different post that I don't comment on to make sure this doesn't happen again. Not sure how it gave it to me in the first place.

Lol, don't worry about it! :D It's the thought that counts! I'm glad you find this post useful! I would upvote your comment too but unfortunately after all of this my voting power isn't worth very much right now either XD... when it comes back up later I will!

Some useful info in this post, like changing the password every month :)

I'm glad you find it helpful! I was hoping through sharing my experiences with this that it might help others on here.

Sweet glad youre back @calebotamus here too!☝️👽😸😁 Have fun be grateful!

Thanks!! :) Following you!

Yayyy! 😂 So happy to have you back @zoeyartanddesign! 🎉🐔

Thanks to Belle, a beautiful bird!

Thanks! :D She is a beautiful bird!! She's also super sweet. Whenever I go out to the brooder, I open the door and say "come here Bellle" and she flies right up on the edge to visit. No joke! 💖

Yes, I know... I have some vegan friends with chicken pets... really lovable! 💖

Woah, its nice to know that we still have a chance to recover our account. Thank you for the information, I think we should really be careful bout this matter

Yes! We do need to be very careful about it! :) I'm glad you find this information helpful!

Thanks for this info. I'm not planning on making my password public, but ... you weren't either. 😃 So, just to be on the safe side, I'm bookmarking this page.

That's exactly right!! No, I wasn't planning to... in fact, even before this happened I was obsessive about checking my posts before publishing them... just didn't with that one, and that's all it took! 🙊

i am resteeming the shit out of this because i was just thinking about this today. thanks for the very extensive and user friendly guideline.

Thanks!! I'm glad you find it helpful! :)

Congratulations @zoeyartanddesign! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Upvote this notification to help all Steemit users. Learn why here!

Isn't the community great?

I triple check triple times to ensure my account is safe.

Yes, it is great! I was double-triple checking mine too, but I was hurrying when I made that post and so for the first time I didn't 😬

Fortunately, everything worked out!

Hey, do you have discord? I have a question about Wondrous Cre8tions. Well, more like looking for advice. I'm interested in the on-demand industry.

I do :) My tag is #3482.

thanks a lot for sharing your experience... it'll be helpful if anyone got hacked.. really helpful post... 👍

Thanks, I'm glad you find it helpful!!

Glad that you have recovered your account and thanks for sharing your experience with us. Now I'm sure everyone will take better precaution before posting any kind of information.. Welcome again :)

I did not know this about updating the password every thirty days, and I have been here over a year. Thanks a lot for letting us know about this.

Awesome I'm glad you learned something! I know I did, because I was force do! Lol :)

That is some craziness. I’m glad you’re done with the shut-out. Thanks for all of the info!

It definitely is craziness! I'm glad I'm back in to!! I didn't know what to do without SteemIt, even though I've only been a member for a few weeks!

I'm so happy for you that you got your account back. Thanx for this post. I will be sure to change my password more often.
2018-02-23 22.48.29.png

Wow, Zoey, glad you recovered your account! steemit seems very complicated to me! Thank you for posting this. I just activated my account yesterday and am trying to learn the ropes. I did resteem it. Meow... :)

It is complicated, but we will learn! :) Following you!

Thank you! Meow... :)

Congratulations, it's good that you recovered your account. For more security your chicken can save your password, he will not give it to anyone.

Thank you! Yes, I am sure my chicken could keep my password safe! xD

Those chicken pictures! Especially the last one.

He'll peck the bot to death, I'm sure!

Glad that you got your account recovered, and this ended in a good story, not a bad one!

Haha thanks! I'm sure she would! LOL

Congratulations @zoeyartanddesign!
Your post was mentioned in the Steemit Hit Parade for newcomers in the following category:

  • Comments - Ranked 9 with 80 comments

I also upvoted your post to increase its reward
If you like my work to promote newcomers and give them more visibility on Steemit, feel free to vote for my witness! You can do it here or use SteemConnect

That's awesome, thank you! :)

Following you!

Are you sure you have to change your password every 30 days to recover it? I thought you simply had 30 days to recover your account. Meaning, the new password doesn't become permanent for 30 days.

How does the stolen account recovery process work?
If your password has been changed without your consent, then the account designated as your recovery account can generate a new owner key for the account. The account recovery must be completed within 30 days of the password being changed, and you must supply a recent owner key that was valid within the last 30 days.

Steemit Inc. owns the default recovery account (@steem) for all users who sign up using Steemit.com. Steemit can identify users by their original email, Facebook, or Reddit logins that were used to signup via Steemit.com.

If you don't have the master password or owner key that was valid the past 30 days, or are unable to prove that you are the original owner of the account, then your account will be unrecoverable.

You do only have 30 days to recover your account, but yeah I'm pretty certain you need to change your password too... it won't count as "recent" if it's past 30 days old, via the links I put in my post. And if it doesn't count as recent, how I understand it, is that the blockchain won't have anything to associate with your authority and ownership with the account. I'm not an expert, but that's how I understand it. :)

I'm also curious about the 30 days so I actually dug into the steem code and found this:

Being able to satisfy an owner authority that was used in the past 30 days is sufficient to prove past ownership.

It sounds like you need to just login every 30 days, not necessarily change the password, but it's still a little ambiguous. This is the best authority I could find so if anyone more knowledgable sees this, please comment and help us all to understand!

I by no means am a SteemIt expert, I'm still a minnow, so if I did have it wrong by all means someone correct me. This is how I understand it, because of a steemit post by @someguy123 that reads:

"The important thing is the recent password.
The STEEM blockchain knows the history of your account, and every owner key that has ever been used for it. When you enter your recent password, it uses that to generate an owner key that can match up to a previous owner public key on the account. Without that password, the trustee cannot do a thing...Small note: The "old owner key" has to be recent, which as far as I'm aware means active within the past 30 days (someone please correct me if I'm wrong)"
Read his full post here

Again, this is just how I understand it. After this I am going to change my password recently to prevent this, just to be safe.

Oh, I guess it does say "active" within the last 30 days... so looking into the logistics of what that means might be helpful.

.

I think it's insane that there are just bots trolling every post just on the off chance that someone accidentally posts a key. Seriously how big of a douche do you have to be to put time into programming that?

I KNOW! It's absolutely crazy!! Clever, but fucked up!

Where there is financial gain, people will look for opportunity to take advantage of a quick mistake it seems. It must happen often enough for it to worthwhile to have a process to harvest it. Maybe a future feature of Steemit is to do a syntaxes check like the bot is doing and warn the poster to confirm before making the post to mitigate the oops scenario?

@jeftek, that is a really fantastic idea! Have you ever logged in through minnowsupport steem -- mspsteem.com? It's a platform that looks and functions exactly like this steemit does, saves all your info, and is run by the minnow support project. I think they actually do have a feature similar to what you are talking about.. because I will tell you a secret.. when I logged in through there and made a post a few weeks ago I accidently did copy & paste my password, and it wouldn't let me make the post. A notice popped up that said "you are attempting to publish your master password and we don't allow that".

Check out my comment at the top of this post, I explained some things in detail.

Hola amiga buenas noches que buen post, saludos

I am going to preface this with: I don't speak Spanish, so for anyone who speaks English and Spanish, I realize this might not be correct lol. But I translated my answer with google translate!

¡Hola! ¡Gracias por tu comentario! ¡Me alegra que te guste la publicación! :)

All is well. :) So happy for you that you got your account back. :) This would be a really great guide for people who have their accounts hacked. Thanks for creating this. And also thanks to those people who helped, It's really awesome if you find a support group, especially for us who just started using steemit. :) Will definitely save this for future reference. :)

And that is just one of many reasons why Steem is awesome!

Also - My son loves watching Paw Patrol and the mayor has a pocket chicken named Chickaletta...until just now I did not know that "pocket chickens" were a real thing.

My mind is blown :-)

OMG That's hilarious!! I didn't know it was a real thing either, actually! I guess it just seemed natural to stick her in my pocket, since she was lonely and I couldn't sit down next to her all day... LOL

The best part about this is the chicken verified recovery! :D
And that reminds me, i should change my password every 30 days!

I know, right?!

6E1308AE-B926-4328-90CE-B34F041C473C.jpeg

Not sure exactly what that means, but it seems like a good thing! Lol :)

Excellent cautionary tale!

Glad you got your account back and thx for sharing. I would have had no idea, but I do think I need to pay more attention to my passwords and change then in occasion. Thx.

I know, I was sort of mad at myself for being so dumb, but anyone could do it.... all it takes is not paying enough attention! But I'm glad there is a way to fix it!!

Turns out this was super timely! I helped a friend make her account last night using @blocktrades and she has since lost her key's (turns out I'm a shitty teacher). So we are going trough the recover process right now...lol.

Oh wow, that's crazy! I'm glad at least maybe this post helped!

Congrats on getting your account back. Earlier, I believed that it won't be possible to get the account back after password has been stolen but after reading your post, atleast that fear has dropped.

Thank you! And yes-- it IS possible, as long as you have a recent password and ID verification!! :)

Thanks for posting this. I have been concerned about the security and recovery process of Steemit and have meant to dig into it in more detail so this helped see a real world scenario play out.

Resteeemed for awareness

Thank you! I am glad you find this helpful!

I know, some things you just can't comprehend until they happen to you-- this is one of those things!!! You can prepare yourself for it all you want, but that feeling when you realize you are locked out is awful.

So, hopefully, this post actually does help some people to not do this!! Or, to fix it if they do. :)

Sorry to hear of your hassle, but at least you got your account back. That must have been a great relieve. It would be, for me. Although the amount in the account is only a few cents, it is the work and effort that has been put in. That is painful to lose.
Very kind of you to share your experience and to show us how to go about getting our accounts back.
Cheers!

Yes that is exactly it--- thinking you just lost all of the effort you put in. While it may seem silly because I have only been a member for about 4 weeks, I have put a LOT of time and effort into my account every day (minus the 4 I spent locked out) trying to build up my account!

And thank you! I'm glad you find this useful :)

well done chick!!!! and this is a great post- we should book mark it for future reference :D

love d
1 unfucker badge tiny.jpg

Thank Goodness...You got your account back. Surely some Best Tips for keeping your Account Safe and Recovering it.

Thank you! I'm SO excited to have my account back!! 😄

You must be Excited...That is indeed an awesome news...Itz like getting your Treasure back. 😉 My Precious.

Yes, it is like getting your treasure back!!