RE: Offline Attack on Steem User Credentials
Upvoting for visibility (and the Spaceballs reference), but not without much conflict. More people need to understand how serious password security is and the need for a good password manager. At the same time, I don't want to condone grey hat activity.
There were other ways to handle this that would have been true white hat. You could have checked those 500~ passwords, verified them, and then contacted the Steemit team privately. I've been posting in the Slack channel about the need for a private bug bounty program like Bugcrowd for exactly that purpose. There should also be an easy to find ethical disclosure procedure.
In this case, however, was it really Steemit's fault or a PEBKEC (Problem Exists Between Keyboard and Chair)? All attempts at creating idiot proof software fail as better idiots are produced.
I hope you can work with the Steemit team in an ethical manner in the future. I know I'm coming across as judgemental here, and it's possible you actually saved a lot of people from a lot of trouble. It still just feels wrong. Either way, I wouldn't want to get on your bad side. :)
I don't fault the OP. This is a classic scenario where you don't fully comprehend the gravity unless it happens. I also like the fact that the OP is being financially compensated for his discovery. I hired my first CTO after he rooted our mail server!
You might be right, Bill. I guess I'm just much more comfortable with white hat activities. We use BugCrowd for FoxyCart and have been very happy with the professionalism and ethics of those involved. When something is exposed (thankfully it's almost always some third party system outside of our PCI environment), it's hard not to take it very seriously. From what I've seen of the team here so far, I think they would have taken a white hat approach seriously also. But... maybe not. As I said, whether or not I like it, this approach may have saved quite a few people from even more frustration.