SECURITY STATS on 'We just hacked 11 accounts on Steemit!...' - Passwords in the open & reaction time

in #steemit7 years ago (edited)

If you haven’t already read my cousin @noisy post about hacking Steemit accounts...

First of all - I’m not even a programmer.

We found out about human made errors in transfers’ memos. Some users used their passwords in public field so anyone could just “hack” their accounts without any hacking skills. Some of those users used their passwords by mistake and they found out those mistakes. But others... well... they didn’t. Until today their passwords were there in the open.

We found only 9 working passwords and we changed them. But look when they were published:

Reaction timePasswords
< 1 week1
< 1 month1
< 6 months5
< 1 year2

But there are more to that.

We know from experience that passwords begin from P and have 52 or more random characters/numbers. When we searched the memo database we found out 28 of those passwords! Some of them were already changed but we can’t be 100% sure if they wasn’t changed by someone else. And I suppose there are a lot of not-generated passwords that were changed already. We will never found it out.

Here is the known list:

UserPassword publishedPassword changed
@anggicitrayani2017-05-06 04:12:242017-05-09 04:07:00
@anwen-meditates2016-07-25 04:22:332017-06-07 13:10:51
@aubreyfox2017-01-21 14:52:092017-06-07 13:14:54
@blacktiger2017-05-10 14:55:482017-06-07 13:14:30
@christoryan2017-03-28 09:19:542017-04-09 02:08:18
@crazymumzysa2017-02-04 11:07:152017-02-04 11:09:51
@dunja2017-02-20 01:11:512017-06-07 13:10:00
@elewarne2016-10-29 13:07:092016-10-29 13:43:33
@hansolo2017-02-25 14:03:362017-02-25 14:24:27
@hpns01102017-06-05 14:33:242017-06-05 14:43:06
@jakethedog2017-03-21 22:16:032017-06-07 13:10:54
@loveofprofit2016-09-12 22:55:182017-05-31 17:55:27
@marszum2017-05-20 16:56:182017-05-21 22:48:03
@me-tarzan2017-02-12 19:05:122017-02-15 13:54:33
@miketr2016-07-30 13:28:092017-06-07 13:13:24
@quetzal2017-06-04 10:47:032017-06-07 13:14:36
@ricardoguthrie2017-04-25 23:36:182017-05-14 19:30:06
@riskdebonair2017-05-29 18:12:362017-05-29 18:15:03
@streetartgallery2016-11-01 19:40:482016-11-01 19:46:24
@t3ran132016-08-16 19:28:482016-08-17 05:38:24
@technology2016-08-15 15:42:182016-08-15 23:50:57
@tieuthuong2017-03-19 01:44:182017-06-07 13:14:42
@uiaslout2017-05-11 17:15:032017-05-15 04:57:06
@virtualgrowth2016-10-24 19:10:062016-10-26 04:49:06
@virtualgrowth2016-12-06 19:08:452017-06-07 13:00:33
@voiceover2017-03-25 17:03:002017-03-29 23:14:48
@xcigar2017-06-03 23:18:002017-06-03 23:21:33
@zer0hedge2017-06-03 02:24:482017-06-03 02:25:24

Let’s sort it by reaction time of password changed.

UserReaction timeOur action
@zer0hedge36 sno
@riskdebonair2 min 27 sno
@crazymumzysa2 min 36 sno
@xcigar3 min 33 sno
@streetartgallery5 min 36 sno
@hpns01109 min 42 sno
@hansolo20 min 51 sno
@elewarne36 min 24 sno
@technology8 h 8 min 39 sno
@t3ran1310 h 9 min 36 sno
@marszum1 d 5 h 51 min 45 sno
@virtualgrowth1 d 9 h 39 min 0 sno
@me-tarzan2 d 18 h 49 min 21 sno
@anggicitrayani2 d 23 h 54 min 36 sno
@quetzal3 d 2 h 27 min 33 sYES!
@uiaslout3 d 11 h 42 min 3 sno
@voiceover4 d 6 h 11 min 48 sno
@christoryan11 d 16 h 48 min 24 sno
@ricardoguthrie18 d 19 h 53 min 48 sno
@blacktiger27 d 22 h 18 min 42 sYES!
@jakethedog77 d 14 h 54 min 51 sYES!
@tieuthuong80 d 11 h 30 min 24 sYES!
@dunja107 d 11 h 58 min 9 sYES!
@aubreyfox136 d 22 h 22 min 45 sYES!
@virtualgrowth182 d 17 h 51 min 48 sYES!
@loveofprofit260 d 19 h 0 min 9 sno
@miketr311 d 23 h 45 min 15 sYES!
@anwen-meditates317 d 8 h 48 min 18 sYES!

When we compress it a little:

Reaction timePasswords
< 5 minutes4
< 10 minutes2
< 1 hour2
< 1 day2
< 1 week7
< 1 month3
< 6 months5
< 1 year3

And finally when it will be changed into graph with days in bottom:

CONCLUSION!

Be careful! This data can be found by anyone and it’s still out there in the open! Think twice when posting a memo during transfer!

Sort:  

Interesting stats! I'm very happy that you guys used the opportunity to educate people about the dangers of posting the password in the memo field. If the wrong people had figured this out before you guys, a lot of money could have been stolen. Luckily, seeing as several of the people had this public for over 100 days without anyone changing it, I would guess that no one has figured this out before you guys.

It's hard to tell if those passwords were really changed by authors or some random people who by accident found those passwords in wallet page.

Really well done! Thank you so much

While this post may not make as much money as the original, I am super glad you did make it.

The stats and data of reaction time, and everything else you put in here was incredibly interesting for me to read.

Thank you for taking the time to produce this data and present it in such an easy-to-read, professional looking manner. WOW! Great work!

Thanks for help with whole thing :) I is good to have you on Stemit next to me :)

We're like good cop and... good cop :)

Thanks for sharing the info it worth more than a thousand dollars

Can you good cops help me put, need Steem Power that can get me $700 per post

Fastest reaction time, Do I win something ?

You win not loosing your account :)

Yes I had thank you so much guys well done

LOL, that's a lot of stats! How do you even handle that!!

@ lukmarcus Wo!!! Thank you for your work.

This is a warning for us. Let be aware with careless action.

Nice job with these stats. I curious, did you try to search for these "peoples" in other places like reddit, fb, gmail or something... Maybe they leave marks?

What do you mean by leave marks?

someone can have similar nick/login/email and post information similar to these from steemit accounts.