Third Update to July 14th Security Announcement - Account Recovery Begins

in #steemit8 years ago (edited)

Steemit is proud to announce that account recovery is now available for community members whose accounts were compromised during the July 14 hack. To recover your account you will need to complete the following four steps:

  1. Click the "Account Recovery" link at the bottom of this update.
  2. Enter your old Password.
  3. Login via Facebook, Reddit, or provide your email address.
  4. Enter your old Password again, and then provide your New Password twice.

If you logged in with Facebook or Reddit your account will be immediately restored. Steemit will contact everyone else with additional confirmation instructions.

Steemit will be unable to recover your account unless you know a password that was valid within the past 30 days.

Please note that due to our implementation of enhanced blockchain security, new passwords must be 32 characters long. Ensure you use a combination of upper and lower case letters, numbers, and symbols. We recommend using a password manager (pcmag.com).

Returning Stolen Steem and Steem Dollars

The Steemit team is finalizing its analysis of the cyber attack and determining exactly how much Steem and Steem Dollars were stolen from each account. Once we have completed the full account of lost tokens, we will reimburse every compromised user as promised.

Thank you all again for your ongoing patience and commitment to the Steemit community as we process your requests. We are profoundly grateful.

Start Account Recovery

-- Ned

Sort:  

Thank you for pointing out the need for a good password manager. Some of my friends think the world isn't ready for public/private key encryption on a mass scale, but I like to remind them how at one time many saw email as too hard. Now it's second nature to just about everyone. Internet users can and will skill up and hopefully Steemit will help. If we want to build the economy of the future, we have to up our game, including the latest security updates on our computers, up-to-date anti-virus software, and a good password manager. Let's lead the way to the future economy.
Steem on.

This is a 2nd chance. Don't f up. Change PW and use something secure mix of up and down, special chars etc. Write it down and store it somewhere safe. In support, you wouldn't believe the amount of people that forget their passwords and can't recover their accounts because they didn't set up recovery questions or kept a copy somewhere safe.

If human beings are coming up with the passwords instead of a good password manager, they are already at risk. But yeah, password security is hard. (Cue XKCD post here...)

Its nice though not to be as worried about it as much as other cryptocurrencies, as long as most of your Steem is in Steempower. :)

I don't think I've ever used the word "as" 4 times in two
sentences before.

5 times.
(And in 1 sentence. :D)

As one who has seen many exchanges get hacked, I completely agree. As we move forward, we have to act as if we're our own bank.

(dang it, only got 3 "as")

I don't think I've ever used the word "as" 4 times in two sentences before.

If they are using the web interface, the web interface could "cut" easy to guess passwords by requiring long password at least X chars, containing symbols, numbers, letters, caps, etc.

Haha, that's true, buddy. :)

I think a piece of hardware like the Ledger Blue wallet will have to become widespread as the crypto age ascends.

I am going for a 256 characters password! Just to be sure.

Perfect comment! We do need to step it up, I feel like a bimbo because I assumed I wouldn't get hacked.
Then I did...

I'm assuming my account is not compromised?

Lastpass with yubikey has been amazing for me. Makes 60+ character passwords no problem.

I went through the process but can't login via the Owner keys to change my passwords...Is that intentional?

Yep! You must login with your posting key first and then go to permissions page and click to "change password" then they will ask for owner key if you want to change it.... They just want to be sure nobody logged in with owner key and are browsing steemit's content! And that is fabulous!

I'm somewhat confused, I restored my account and logged in with the new 32+ char password, but all I see in the permisions tab is this...

Posting Key ===>>> Show Private Key
Active Key ===>>> Login to Show Private Key
Owner Key ===>>> absolutly nothing!!!

am I supposed to login again(second time) with the new 32 chars key?

and most important of all, do I need to change the owner, active and posting keys or the restore function did this for me already?

Thanks

All keys changed with the restore function. Next time login with the posting key for extra security!

https://steemd.com/@chryspano/~owners

I like more keepass and it is really free, and more than that: it is open source (OSI certified). http://keepass.info/

I use keepass too, but a lot less as I moved to doing a lot on mobile. Has keepass made it easy to use on Android?

Thanks for all the hard work. It appears I'm back. I know the devs worked day and night. They deserve bottles of champagne. Or Mountain Dew, as I can't picture a dev drinking champagne for some reason.

I pictured them with Red Bulls. :D their veins flowing with 50% energy drinks until the security is up to speed. :)

Hey, thanks again guys for your hard work!!!
I've recovered and changed my password.
Side Note...
You stated that "New" passwords will need to be 32 characters. Is this mandatory or a suggestion???
I bring this up because my new pass is 28 characters and the system allowed me to keep moving forward with it. So if it's suppose to be mandatory you may want to look into this?!!
I'm going back and changing my, now that I've read your post.
Thanks again @ned and @dan

This is a HUGE deal. The fact Steemit was able to resolve the issue of accounts being hacked and return them to their rightful owners in a relatively short time span makes me feel much safer about continuing to invest and use steemit

So much quicker than "ethereum soft fork, okay lets try white hat attack, okey lets just hardfork".

What does that mean for people not affected by the hack, who managed to have there owner key cold/offline and don't need/want a account recovery option via steemit.com?
I noticed the field "recovery_account": "steem" in my account data (not sure if it was there before the fork). Is that the account that can recover my account and can I remove that or switch that to a 2nd account I (or a person I trust) control?
Not to be skeptic of steemit team or something, really love what your doing here! I'm just curious about how things work and my options.

Hi that is the friend factor / trustee element of Steem. It has no authority to take ownership of your account, however, it cane used to identify you and help with disaster recovery in the case of a hacked account. It's described here: https://steemit.com/blockchain/@dan/steemit-releases-groundbreaking-account-recovery-solution

Thanks, I some how seem to have missed the main post about the recovery mechanism.

Love all the work you all are putting into this. Revolutionary for sure.

lost ownership of account. all I did was reset password. tried recovery it said password not used in last 30 days. i used it every day. please help

Yes, thankfully accounts that were hacked can be restored now.

Good luck devs!

Awesome! If you want to cash out any of your $740 steem dollars, it might not be a bad plan so you don't lose it all if you get hacked again. Write-up of steps lives here.

trevon nice!!!! good luck man been watching your vids A++++++++++

Good to have you back brother i remember when i first saw your videos youve come a long way in a short space of time well keep up the good work