Important Security Announcement: Steemit CEO Ned Scott

in #steemit8 years ago

Steemit was today subjected to a cyber attack. In the attack, fewer than 260 accounts were compromised, and less than $85,000 worth of Steem Dollars and Steem may have been stolen.

The hack has now been contained. User accounts and wallets are not at risk, and we hope to soon reactivate the Steemit website to normal order. Any users whose accounts were compromised will be completely reimbursed.

Though only a relatively small amount of Steem was stolen, we take any form of criminal activity against our community extremely seriously. We have reported the hack to police and other cyber crime authorities, including the FBI. A full, internal investigation is currently being conducted and we are working on an immediate solution.

Partner exchange Bittrex was informed of the compromise and is actively helping the investigation. As a precaution, they have temporarily suspended the ability to deposit or withdrawal Steem and Steem Dollars from their exchange. The suspension will be lifted as soon as possible.

Thank you all for joining us on Steemit. We apologize for the temporary disruption of services and look forward to resuming operation of our social network.

Regular updates will be provided here on Steemit.com

-Ned

Sort:  

This article should mention that the Steem protocol (the "coin") was not hacked, nor was any smart contract running on top of the Steem protocol. This hack is a website hack where a hacker stole funds and account credentials, and not a hack on the coin itself, at least according to the best information available when this article was written.

The Steem protocol (the "coin") was not hacked this time . I own steem coins and would like to move them off line to a wallet to store safely but alas I cannot find a wallet if someone knows where , I would appreciate a link .Thanks in advance

Have you looked at Bitshares Openledger? They let you buy and sell OPEN.STEEM that you can then turn into anything of your choice via a service called Blocktrades. You own your own wallet in form of a "brainkey". The Openledger network run on a MIT designed blockchain dubbed Bitshares and is backed by BTS (underlying currency is Bitshares) i am coindup-hasho on OL
use my referral link https://bitshares.openledger.info?r=coindup-hasho

Which also means that a hard fork can't fix it.

I'm glad to see that too. Platform should develop no matter what happens.

Do people with big holding should consider changing their owner's/active keys?

My guess would be whatever key you login with may be compromised, but I have no clue as to the hack details.

The lesson (re)learned is to use a secure password that is difficult to guess. Also, I am hopeful that two factor authentication makes its way here soon.

Do you know how the attacker got in? I assume they altered the javascript to exfil private keys, yes? How do you know how many accounts were compromised? It might be wise to cycle everyone's keys at this point. I'll definitely be updating my posting key.

Yea, I was thinking something along these lines as well. XSS to grab a js token. I haven't looked into the site code, but I seriously hope they're not using js tokens and are instead using http only cookies.

At least is now been compromised, and from this experience Steem will up lift there security. Lesson learn.

Now that steemit is in everyone's crosshair, #3 on the top cryptocurrency list, we need to take development and security uber seriously. We should have 2factor or phone based ( coinbase does this) security features. Thanks for your updates.

and a account page so we can link our email and be able to change our passwords and forget my password to the site

that does nothing for site security, and actually puts individual users at a higher risk as now their email is now an attack vector

I could not agree more. Now that the solution has scaled and already has a dedicated consumer base of thousands of users, it will immediately attract unscrupulous eyes and unwanted attention as hackers will be interested in extracting some illegal value for themselves. Any cryptocurrency with a Top 5 market cap needs to be especially careful, not just from an authentication standpoint (some users have suggested implementing a two-factor authentication module for Steemit, which would help but that is only the beginning), but also from a regular site audit standpoint; these cryptocurrencies need to invest in the proper business continuity planning and disaster recovery management solutions, as well as ensuring that they have access to cyber security and digital threat forensic experts to help 'stress test' the system. This is only the beginning and there will be more and more attempts going-forward.

One last point worth mentioning, the actual Steem cryptocurrency was not impacted or attacked in this particular incident, it was only the Steemit.com website and that has since been corrected by Ned and his team.

Long live Steemit!

I dont think 2 factor auth would have helped in this scenario. It seems like the server hosting Steemit.com was compromised.

Unlike other crypto, Steemit's cryptomoney is mostly custodial. Since Steem Power is locked up for 2 years, that may greatly slow down a hack but like the DAO has shown, a slow mo train wreck is still messy. This platform is way too cool to go down in flames. We really need world class security going forward.

Don't forget, the Shapeshift theft was by an insider. Yuge lessons to be learned there too.

2 factor definitely. This was a wake-up call to get serious. You can spend a lifetime creating a good reputation and loose it all in 5 minutes.

And if anyone on Steemit is re-using passwords... please stop doing that. I bit the bullet a while back and started using KeePass (open source) password manager. I have mega strong passwords on my Steemit keys and everything else important these days, and so should you.

Remember, your Steem Power and bitcoins just may be your retirement fund.... protect them!

Great job @ned and the rest of the team. Good action taken, looking forward to the future!

How did they hack those accounts? Key-logging so they knew people's passwords? Or did they harvest stuff from reddit, and the users who were compromised used the same passwords as their reddit? And will the people concerned be able to change their passwords?

my respect for being honest and clever about this - I´ve informed the millionerds of https://stakepool.com about it - they are happy as well.

We believe in you guys, keep on keeping on!

millionerds

Maybe the Steemit website needs 2FA? I was wondering why it wasn't an option for my profile?

I mentioned in the Slack channel a week ago or so that I was concerned that we are starting to pile up funds and we could become a target like the DAO, I suggested 2FA and limited login attempt security, I haven't tried but I don't think you get a time lock if you enter the wrong password too many times. Also articles that provoke other media platforms are dangerous and makes us a target while we are still in incubation.

The coin price remained stable luckily and most of the damage contained..

Regards,

Ricardo Goncalves (BNC Steemit Community Manager)
sig_bravenewcoin_sml

Correct me if I'm wrong, but 2FA does not protect against cross site scripting attacks, does it?

Hi @Scrawl I'm not a dev so can't answer that. Thanks for bringing that to our attention though. Most exchanges use it, so in my mind it has some security benefits.

I totally agree 2FA should be implemented!

There are many ways to log in which are more secure. 2FA probably wouldn't have any significant impact on security. Multisig already exists and you can separate your owner key password from your poster key.

So I suppose you can improve on this technology by allowing a third party to hold a backup key in case something bad happens or something similar to this.

How about limited login attempts to prevent brute force attacks? Someone could possibly hack the main owner password if not set securely enough by the user? What do you think?

I am new here, but excited about the project. Is there a guide somewhere that explains the best way to secure one's Steemit balances, especially if they grow somewhat large? Or is it just a matter of using strong passwords? Where are my private keys being stored when I sign up? Any other security tips would be greatly appreciated. Thanks!

I'm probably not much further than you are in this new platform, but you can find your keys in wallet/permissions. I changed the passwords that access my keys this morning. I use a password manager (KeePass) and the are strong passwords, but easily accessible to me on any of my gadgets.

I'd like to know the difference between 'active key' and 'owner key'. Anybody?

I consider measures like these a must, I develop a number of crypto services that hold users funds, security, even the basic stuff, cant be taken lightly. My general guidelines tend to be, dont inform password/username is incorrect, simply state invalid credentials. lock the account for 5 minutes after 5 invalid login attempts, dont notify on the login screen that this has taken place, notify the account owner via email. Enforce strong passwords. I tend to be making 2fa mandatory now also.

Or completely overhaul the login system all together, I demo'd a proof of concept user registration/authentication system using Jumbucks addresses and cryptographic signatures, all wallets have this functionality. user provides a username and address on sign up, nothing else is required (email optional if they want notifications), user verifies ownership of said address by signing a random token using their wallet. to log in, user enters username, a random token is then presented, they sign token using the address they provided on registration, and boom their in.

I was wondering why this wasn't an option also.

You're not legit until someone tries to hack you these days :)

You guys are kicking ass! Keep doing what you're doing, and keep building a fantastic community.

Transparency in this type of situation is more than we can say about the US government these days :)

Cheers!

hahaha so true :D

I can imagine the DAO hacker saying "oh boy, just nabbed a boat load of Steem Power... in 2 years, I'm gonna have some real fun!".