You shall not (leak your) pass!

in #steem7 years ago (edited)

Another account was (almost) hacked and three accounts were vulnerable for weeks. 167 valid private keys are still publicly available.
Why?
Because people are putting weird things into memo fields.

Well... "weird things" are not a problem, but when you put there your private active or owner key (or other types of sensitive information), you might end up regretting this until the end of the blockchain.
That means: FOREVER.

passwords

Have you entered your key in a wrong place?
Be sure to remember that this is when you lose control over your account.

A few seconds later, a malicious user will take your key and replace it with his own.

If that was your owner key or master password, all you can do is start the account recovery process, which can take days or weeks, but ** it has to be completed within 30 days** or your account is lost forever.
It might or might not work and you might or might not be eligible to use it.
After all, you have just lost your account, so don’t expect miracles.

It that was your active key, you can still use your owner key or master password to quickly change the leaked key but...

The clock is ticking

  • Within the next three seconds, you will lose all your STEEM and SBD that were not frozen in savings accounts. (Are you that fast?)
  • Three days after your failure, you will lose all the funds you have in your savings accounts too, if you haven’t been able to regain access to your account yet (How about not losing it in the first place?)
  • Also, Power Down was initiated right away, so week after your failure and every week from now on you will lose 1/13 of your Steem Power until your account becomes an empty shell. (Oh, my mistake, it's not "your account" anymore.)

Scary, isn't it?

Such thing happened almost happened to one of the users: @photo-trail
(not to mention three others - more details later on)

Fortunately, while monitoring the blockchain I was alerted in time and I've changed that key myself.
(special thanks to @almost-digital for the useful tools he provided)

I sent a message to the user:

"You have leaked your active private key to the public putting your account at risk. Your key was changed to prevent stealing your funds. Please change your active key using your owner key or master password. Be safe."

What was at stake in that particular account?
$30 worth of liquid assets (almost all in SBD)
and almost 2800 Steem Power
Estimated Account Value: $4,355.64

Extraordinary? No. Not at all.
Not long ago, @noisy & @lukmarcus gained access to 11 accounts with $21,749 on them
Their post call the attention of users to the issue, earned thousands of dollars, received thousands of upvotes, hundreds of comments and tens of thousands views. Their story was even featured on a popular Polish site - Niebezpiecznik

So what? Nothing. It just happened again.

Even though it was much less likely, because many nodes are now checking memos after #1181 was implemented.

"Transfers with the sender's private key information will be rejected with a soft fork. The error message recommends the sender change their keys in such an event. The CLI wallet does a similar check against the sender's keys and the keys in the wallet."

So what about other keys that are available publicly and still valid?
I made a quick scan that revealed another 170 keys.
167 memo private keys. There's no imminent or direct risk, at least not now, but if someone used their memo key in a wrong way, there's a good chance that they are putting their assets at risk by improperly handling their secrets.
Unfortunately, there were also two active keys and one master password.
@amrsaeed - the key was leaked 56 days ago during a transfer to poloniex, @noisy has already included this case in his post, 34 days ago this user was warned by @lukmarcus about the leak
@gary911 - the key was leaked 41 days ago during a transfer to poloniex, 34 days ago the user was warned by @lukmarcus about the leak
@savagem13 - the master password was leaked 26 days ago during a transfer to bittrex, 5 days ago someone used their password to change account properties to:

"{"profile":{"name":"Savage Money","about":"This Account Has Been Hacked! Please Change Your Password. Your Money is Safe"}}"

(which is not true, because after you have leaked your password/key, your money is not safe)

Surprisingly, none of those keys were changed yet (until today, of course, by me), but that doesn't guarantee that the keys were not under control of any malicious third parties or that the actions made after those leaks and before the keys were changed were made by their original owners. Maybe the malicious users were just waiting for a bigger amount of liquid assets to be available on those accounts. You never know.

Estimated Total "Secured" Assets: $12,000

Another case, another lesson.
This time, again, everything ended (relatively) well.
Who was paying attention?
Are we safer now?
Are you?

No.

It will happen again, one way or another.
Please make sure that it will not happen to you.

TL;DR:

You will lose your funds if you disclose your private key.

(Try to guess: Why is it called PRIVATE?)

Do not learn from your own mistakes, learn from the mistakes of other users.

"Keep it secret, keep it safe"



If you believe I can be of value to steem, please vote for me (gtg) as a witness on Steemit's Witnesses List or set (gtg) as a proxy that will vote for witnesses for you.
Your vote does matter!
You can contact me directly on steemit.chat, as Gandalf



Steem On
Be Safe

Sort:  

Glad to see that Gandalf the Grey has a white hat! :)

Thanks for custom stuff staff ;-)

Hi @gtg I've written an article about you, check it out if you can, thanks.

21 Best Steemians Of The Day To Follow 6th August 2017

https://steemit.com/steemit/@jzeek/21-best-steemians-of-the-day-to-follow-6th-august-2017

Thank you :-)

I can't believe you can just google peoples private keys. All because they are putting them in the memo slot. Lol, I almost did that the other day with my ReddCoin. Not so funny.


http://www.FlippyCoin.com is the #1 Cryptocurrency Exchange!

Exactly on point sir.

(TheGreat)

Was thinking the same :P Thanks for putting some real world examples out @gtg Steemit hackers be like "aint no rest for the wicked, money don't grow in steem" ohh wait...

Hi sorry for interruption, why i cannot vote witness? Your name are not available. Thanks!

Why what means witness?

This post received a 3.8% upvote from @randowhale thanks to @vysmek! For more information, click here!

Better be safe than sorry.
Very useful post for the Steemit and the entire Crypto community!!!

Thank you dude!

This is a good story. I even go through some of the comments. I wish stories like that spread all over steemit to educate and keep on reminding all steemians how to protect their keys.

It is imperative to continue acquire knowledge on how to saveguard your valuable assets.
Constant reminders are needed to keep new and old steemians aware of this beautiful way of keeping the account safe.
I am still learning about steemit. I definitely still trying to understand the multiple need for our account.
Point I want to make. Keep learning.
I wish to see more posts about what keys to use and it could be multiple posts.
It is important.
Thanks guys

Well it's quite unclear.... I don't understand why anyones surprised. Why do you need a memo key? Why are you told to keep your private keys safe but not told explicitly what keys you definitely want to immediately note down and never show anyone ever again unless you have to,

OH and it would really solve so many problems if there was a 2 factor authorisation. How hard can it be if so many others have it? I think someone needs to remind the devs that it's meant to be a platform for people that are used to facebook and reddit not nerdy crypto complexities that they have to pay attention to.

The thing is that steemit is how some people are being introduced in the cryptocurrency and I don't think many people know what to do regarding transferring things to exchanges and what the memo field is for.

Private keys is what we should all hold close to us and not let anyone know. It is great that everything on the steemit blockchain is known and nothing is hidden. A great transparent system but it also leads to some easy theft of keys from people who don't know what they are doing.

Hopefully this will cause some people to be more cautious and maybe you will be able to help some people save some money @gtg

Thank you for spreading the word! :)

This is kind of the thing that might as well prevent Steemit from being truly mainstream as a social media platform. Even though it tries to be safe, it's a lot easier to make a crucial mistake here than on instagram or facebook. A short look on the tag that we both use fairly frequently, #polish, is a good reminder that a big chunk of steemit userbase has literally no clue about how it works and how to protect oneself and they don't mind, they just want to blog a bit.

Nonetheless, great work, glad your username isn't saruman as things would get dark quickly.

I think, that we as a community <specially polish part, where english can be a barrier> should do everything to keep steemit as a blockchaing safe, but what's in my opinion equally important to make it as accessible and simple for user as possible.
I know, how confused new, non-technical user can be on the beginning of his journey - it was quite hard to understand for me, programmer so what can total crypto-newbie say? We should be for him someone who can follow and learn from... Someone like who Gandalf was for Frodo :) - although it was Frodo's own journey, Gandalf helped him to take the first, most important step.

Flip this made me scared enough to check more than I already am, I am always too scared to push the OK button before I am 100% sure everything is in order. Thanks for the great post, very informative :) I am learning a lot on Steemit!

This is a great reminder. I think people get so used to copy/pasting they don't realize they might have pasted their password to the public. Be safe and diversify!

This comment has received a 6.67 % upvote from @lovejuice thanks to: @theabsolute. They have officially sprayed their dank amps all over your post rewards. GOOD TIMES! Vote for Aggroed!

Hello Friend ! You have an interesting blog, I will follow him and tell my friends! Good luck in your development 👍 I hope you will answer my message and do not miss it) a good day

Good luck friend !

Thank you :-)