How I Could Have Prevented My Account From Being Hacked
The Paranoid are Secure
I like to consider myself as very security conscious. I mean, com' on. I'm a mathematician. By definition, that means I am paranoid. So, when this hack occurred, I didn't know if my account was compromised. In fact, there were several mentions of hacks going on in slack. As such, I began the process of changing my keys when that happened. Alas, I was too late, and the hacker had managed to take over my account.
Mea Culpa, Mea Culpa, Mea Maxima Culpa
Now, first off, I had no one but myself to blame. I should have updated my key authorities ages ago. I did at some point but had some issues with voting (probably user error) after a change, and so I put everything back to one common key. BIG mistake.
If my account had been properly secure, I would have had all 5 keys to be different.
What Went Down
From the best that I could understand, I was logged into steemit using my owner key (which is a very poor operational security choice, since that is your MASTER key and is probably best kept OFFLINE) and stumbled across one of the pages with the XSS exploit. At this point, there was no hope, and my owner key (and active, posting, and memo keys) were compromised.
I had a power down scheduled on Thursday and sure enough the attacker managed to move my powered down Steem.
Who you going to call?
Developer Superheros
Fortunately, your neighborhood friendly blockchain developers at Steem and the team at Steemit had a solution in place in relatively short amount of time (some may call it too short and others not short enough). I confirmed that I had my account hack to Ned via voice (didn't answer, as he had more important business to attend to, but left a message), and then sent steemit an instructional email on transferring my account by giving them the corresponding public keys of some newly generated private keys. The email I sent was signed with my GPG key as a means of identity verification.
Steemit then transferred my account
1 Key to Rule Them All
Each account has 5 keys:
- Owner
- Active
- Posting
- Memo
- Signing
Now, the first 4 are in a hierarchy with Owner at the top. This means that anything that 4 can do, 3 can do and so on.
Owner
Your main key. Keep this offline. Secure in a vault. Dig a pit. Put it in a time capsule for your kids.
Don't put it in a safety deposit box at a bank though. They may be out of business soon with Steem knocking at their doors.
Active
2nd in the hierarchy of keys. Useful for power users and if your posting key is compromised.
Posting
For most accounts out there, this is the key you are using to post and upvote content. Guard it wisely.
Memo
You can, if you are so inclined, send encrypted messages on the blockchain to another user. Your memo public key and the person whom you are sending a message to are used in a shared secret scheme to encrypt your message.
Signing
This is used for signing blocks if you are a witness or a proof of work miner. If you mine an account, all keys default to this.
Conclusion
I could have saved myself a lot of headache if I would've swapped my keys early on! Here I am, supposedly security conscious, and I failed to do that.
Since the attack, I have since exerted complete control over my account. Wazoo.
You can save yourself a lot of trouble with the following cli_wallet command:
update_account YOURACCOUNT "{}" OWNER_PUBKEY ACTIVE_PUBKEY POSTING_PUBKEY MEMO_PUBKEY true
Keep it steemy.
This is great advice for anyone, even if it is just a reminder. The remedy to this situation is a testimate to the team, my hat is off to all who worked together in resolving this.
I agree, the response time, transparency, and overall professionalism of the team during this time has been phenomenal!
What are we supposed to do if we registered via facebook? How can I generate these different keys please and obtain my current private keys?
I've been wondering the same thing, and have been worrying about the security @complexring, can you help us?
Wait for more information from the team. There will be detailed instructions soon.
The devs have a solution on the way. The latest version, which has been reviewed and passes all unit tests, allows for account recovery and gives various authorities to either the top witness or to Steemit's main account. You'll see more details from the Steem team soon!
There will be additional UI changes to separate out user posted content and voting from the other roles. These could be separate site entirely. I would like to see Steemit use separate domains for these two sites.
Sounds like there could be additional security implications in giving more authority to witnesses or Steemit itself. Do you have any thoughts on that?
I think the 30 day rule for making transfers irreversible helps a lot. Also, steemit has an incentive to try to be fair and maintain account security, while doing so in a decentralized manner in the spirit of the blockchain. Not an easy feat.
Thank you for the info, I know the steemit devs will come up with a secure solution. Everyone is going to be happy, especially all of us who have been a part of this so early on.
good question
FINALLY ive been looking for a post like this but i cant find a search to search for anything on this site thank you very much for the tutorial
WE NEED SEARCH i cannot find ANYTHING on this site and browsing is rough
Did you try that little icon of magnifier on top right corner?
https://steemit.com/search.html
Can you explain the cli wallet command and how it's used?
You need access to a server to compile the code and run a full node of the Steem blockchain. When connected properly, the cli_wallet is a tool for communicating the commands that you want broadcasted onto the blockchain.
Definitely a tool for power users, but it's possible to learn! There are some good guides by @steemd and many others that exist to help the newbie understand more.
Thanks for this. The hacker has powered down my account so my question is, is there any way for me to stop that? I don't yet have control of my account yet as I was in the second round of hacks. In fact I was in process of securing it when I noticed I was too late!!!!!!! Great info.
You should be safe @stellabelle. All compromised accounts are in the hands of Steemit. In addition, some additional security measures are being put into place with respect towards transfers.
Since power downs take a week, I expect you to have your account in control way before then.
Agree with complexring above, it sounds like any account changes/transfers made in the hands of the attackers are going to be reversed by the devs, so all should be well for you soon!
Thanks. I was rattled bc I've never been hacked ever before.
Sure thing! being hacked is always scary, whether it's your first time or hundredth time :P
A lot of time you're on your own and the damages are basically gone without any hope. But it seems here the Steemit creators and devs are watching your back like a hawk which is really lucky in a high-stakes environment like steemit can be.
Thanks ...I like this one most ;-) "Don't put it in a safety deposit box at a bank though. They may be out of business soon with Steem knocking at their doors."
You learned the hard way - thanks for sharing what you would have done differently. I have no idea about CLI so I'm not sure how to update passwords just yet.
I've been trying to get this done for 8 days now !
If you want to security your wallet, you may to write your password in secret note and save it! If you forget your password, you can to be are one of unfamiliar for your own wallet!
Thanks for not only the detailed original post but also the follow-ups with all the users here. It's invaluable.
Just doing what I can to help make this an awesome community. There were many before me who paved the way and who did amazing posts on how to do things! Most of the answers people are asking for have been around since the early days. It's just tough to find the info now without a good search mechanism.
I have changed my owner key and my active key. i'm logged in just with posting but because i signed with fb am I still at risk?!