First Update to July 14 Security Announcement from Steemit CEO Ned Scott

in #steemit8 years ago (edited)

After conducting further analysis and following hack containment procedures, Steemit has been able to narrow the potential number of compromised accounts. We can now announce that in the past few hours, the Steemit team has been able to coordinate with elected witnesses to secure potentially compromised accounts with balances exceeding $100 US. As a result, we can ensure these accounts are restored to their rightful owners. This process has been completed.

Within the next 48 hours, Steemit will begin to allow all newly secured accounts to reset their passwords simply by logging in with the same Facebook or Reddit credentials that were used to register in the first place. This easy process will work for the vast majority of the potentially compromised accounts. All of these account holders will regain full access to their funds and their original account name.

If your user account was not created through Facebook or Reddit, Steemit asks that you contact our support team at [email protected]. We will be able to provide you an alternate solution. If you have any additional concerns about your account, please contact our support team as well.

The Bittrex team is completing analysis of our wallet. Once it has passed their rigorous compliance checks, they will reopen the wallet for deposits and withdrawals.

To all Steemit users:

If you have not done so already, please reset your account passwords. We ask this to ensure that everyone's account is secure. Remember that each account has 3 keys: an Owner Key, an Active Key, and a Posting Key. We recommend following best security practices by choosing unique passwords for each of these keys. This will allow you to safely use steemit.com with your Posting password.

As mentioned earlier, any Steem or Steem Dollars stolen from compromised accounts will be fully refunded by Steemit.

Thank you all for your patience and support through this process and for your wonderful contributions to Steemit.

-Ned

Previous Update Here

Sort:  

Confirming the authenticity of the account commenting on this account confirming the account posting this.

Giving suspicious glance at Confirmer and Confirmer of Confirmer.

ಠ_ಠ

Confirming the authenticity of the account commenting on this account confirming the account posting this.

Just want to Drop that here: Howto verify yourself and others properly with keybase to make verification more explicit and verifyable. Since you could be compromised, too. :-)

Confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this post confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this of someone posting confirming authenticity of the account posting this post

Don't forget to change the memo key as well. Personally, I like to use the same password for posting and memo for convenience, but I keep the active key password separate and normally not logged in as active. The owner key also has its own separate password and is securely kept offline.

I think you guys handled this security breach really well! Thank you. Steemit has earned my full trust. xD

steemit3 is one of Steemit Inc's original mining accounts, and for now is one of the top 19 witnesses voted in by them for the hardfork to prevent any further losses of funds. https://steemd.com/witnesses

You got a point, maybe the author can explain. Steemit is however up and working, there is no reason to fake this kind of announcement.

Ned, thank you for 1) disclosing the nature of the issue, 2) promptly communicating and providing regular updates, 3) disclosing your defense strategy and reiterating that Steemit will maintain a zero-tolerance policy for criminal activity on a decentralization platform (this is absolutely critical for the future sustainability and growth of the Steemit ecosystem, especially in light of the recent dark web and related crypto markets; brand equity needs to be cared for) and 4) for ensuring that a more secure system is in production within 24 hours and for immediately containing the threat while doing your best to minimize impact to thousands of other users; the fact that the hacker(s) could only access 260 accounts is indicative of a unique technology structure that you have all implemented in Steemit; bullet proof!

I wrote a blog post on how timely and professional the entire Steemit team have been with its first hack; https://steemit.com/steemit/@bismail/what-happens-now-with-steemit-keep-or-sell-steem-my-thoughts

Thanks for your excellent work.

Our hardest times are also the times when we can evolve the most. This clean solution only serves to strengthen the trust users have in you and your team.

Full steem ahead!