It’s been 2 weeks since @noisy posted his text about not-hacking 11 Steemit accounts. It was the top 1 trending post for a week and I think at some point everyone saw it. And they probably did.
Private memo keys
First let me quote @noisy:
There are 4 pairs of keys: active, owner, posting and memo. Every pair has public key and private key. Under any circumstances, you should never expose any of your private keys.
As I wrote in a post, right now exposing a private memo key is not very dangerous. But it was said few times, that in the future memo-keys will be used to encrypt and decrypt private messages. So basically every your conversation encrypted with your memo-key would be basically public for everyone who poses your private memo key.
Also... even right now everyone with your private memo key could try do some kind of social-engineering attack, by pretending that attacker is you (because technically speaking only you should be able to sign message with your private key).
So... no, your account was not hacked right now, but with private memo key exposed, your account could be attacked in a moment when private-memo-keys would gain some new role in Steem ecosystem.
But many users, like @dollarvigilante, didn’t take it seriously.
And those users didn’t change their keys. No reason why.
Not in blockchain?
I have found one setting which is not stored in blockchain. So it means it can be changed in the user’s profile with ANY private key. This setting is viewing the Not safe for work (NSFW) content.
To show you how it works I have found user with NSFW content (one post without any images - https://steemit.com/@hungrylilkitten) and I will use @dollarvigilante private memo key as an example.
So are you still going to wait with changing private keys for something worse to happen?
A lot of memo keys
You might think there are only a few of those private memo keys so no need to worry. Let me surprise you - there are dozens of them.
Let’s have a look at the number of posted private memo keys (end date is 2017-06-19 17:27:12).
| Month | Keys posted | Percent of all |
|---|---|---|
| 07.2016 | 16 | 13,68% |
| 08.2016 | 18 | 15,38% |
| 09.2016 | 7 | 5,98% |
| 10.2016 | 7 | 5,98% |
| 11.2016 | 1 | 0,85% |
| 12.2016 | 2 | 1,71% |
| 01.2017 | 1 | 0,85% |
| 02.2017 | 0 | 0,00% |
| 03.2017 | 4 | 3,42% |
| 04.2017 | 4 | 3,42% |
| 05.2017 | 23 | 19,66% |
| 06.2017 | 34 | 29,06% |
First, I’m going to divide it into two categories: Keys posted and changed some time later by user OR keys posted with no response from user till now.
| Posted... | Number of keys | Percent of all |
|---|---|---|
| ... and changed later | 42 | 36.75% |
| ... and NOT changed later | 74 | 63.25% |
Let’s set a point in time called POST. POST is a date when @noisy published his text. Data shown above will be divided into more categories:
| Posted... | Number of keys | Percent of all |
|---|---|---|
| ...before POST and changed before POST | 28 | 23.93% |
| ...before POST and changed after POST | 13 | 11.11% |
| ...after POST and changed after POST | 2 | 1.71% |
| ...before POST and not changed | 51 | 43.59% |
| ...after POST and not changed | 23 | 19.66% |
Posted before POST and changed before POST
Table sorted in ascending order of memo key posted:
| User | Memo key posted | Key changed |
|---|---|---|
| @business | 2016-07-04 20:59:09 | 2016-07-16 08:53:12 |
| @katiasan1978 | 2016-07-15 14:53:03 | 2016-07-15 15:02:18 |
| @crypt0 | 2016-07-15 20:30:42 | 2016-07-21 18:14:36 |
| @pinkisland | 2016-07-20 05:24:15 | 2016-07-24 02:36:45 |
| @jl777 | 2016-07-26 23:06:24 | 2016-07-27 17:36:15 |
| @theanubisrider | 2016-07-27 19:26:15 | 2016-08-05 02:56:27 |
| @toxichan | 2016-07-29 05:03:51 | 2016-08-20 13:36:36 |
| @jl777 | 2016-08-01 11:52:54 | 2016-12-29 08:58:39 |
| @zhuvazhuva | 2016-08-03 18:39:21 | 2016-10-17 07:50:12 |
| @bdavid | 2016-08-04 00:20:03 | 2016-08-12 22:15:21 |
| @mandibil | 2016-08-09 21:07:21 | 2016-08-14 12:52:36 |
| @konti | 2016-08-12 15:42:12 | 2016-08-12 15:44:39 |
| @crypt0 | 2016-08-13 19:29:24 | 2017-05-21 07:50:12 |
| @instructor2121 | 2016-08-16 22:56:21 | 2016-10-02 06:57:30 |
| @infovore | 2016-08-29 10:32:51 | 2016-09-19 16:38:15 |
| @mohammed123 | 2016-09-05 08:17:30 | 2016-09-06 10:22:33 |
| @mohammed123 | 2016-09-06 17:40:39 | 2016-09-06 17:42:12 |
| @theprophet0 | 2016-09-12 01:00:12 | 2016-10-08 01:03:42 |
| @mohammed123 | 2016-09-14 17:48:57 | 2016-09-14 17:57:39 |
| @lichtblick | 2016-10-01 14:17:06 | 2016-10-09 07:45:09 |
| @hien-tran | 2016-10-13 08:04:57 | 2016-11-19 08:33:36 |
| @justtryme90 | 2016-10-17 02:27:51 | 2016-10-26 02:27:57 |
| @jacobts | 2017-03-21 10:46:24 | 2017-05-08 18:43:39 |
| @berovvv | 2017-05-13 08:18:09 | 2017-05-15 11:50:57 |
| @samdaman | 2017-05-14 03:14:03 | 2017-05-21 10:34:57 |
| @dancingstar | 2017-05-22 15:41:21 | 2017-06-04 01:52:00 |
| @cryptonouvelles | 2017-05-28 23:47:12 | 2017-05-29 01:45:57 |
| @tombstone | 2017-06-06 14:18:03 | 2017-06-06 15:37:06 |
Table sorted in ascending order of key changed after:
| User | Times used | Key changed after |
|---|---|---|
| @mohammed123 | 1 | 1 min 33 s |
| @konti | 1 | 2 min 27 s |
| @mohammed123 | 1 | 8 min 42 s |
| @katiasan1978 | 1 | 9 min 15 s |
| @tombstone | 1 | 1 h 19 min 3 s |
| @cryptonouvelles | 1 | 1 h 58 min 45 s |
| @jl777 | 2 | 18 h 29 min 51 s |
| @mohammed123 | 2 | 1 d 2 h 5 min 3 s |
| @berovvv | 2 | 3 d 3 h 32 min 48 s |
| @pinkisland | 2 | 3 d 21 h 12 min 30 s |
| @mandibil | 2 | 4 d 15 h 45 min 15 s |
| @crypt0 | 2 | 5 d 21 h 43 min 54 s |
| @samdaman | 1 | 7 d 7 h 20 min 54 s |
| @lichtblick | 1 | 7 d 17 h 28 min 3 s |
| @theanubisrider | 2 | 8 d 7 h 30 min 12 s |
| @bdavid | 1 | 8 d 21 h 55 min 17 s |
| @justtryme90 | 8 | 9 d 0 h 0 min 6 s |
| @business | 2 | 11 d 11 h 54 min 3 s |
| @dancingstar | 6 | 12 d 10 h 10 min 39 s |
| @infovore | 2 | 21 d 6 h 5 min 24 s |
| @toxichan | 1 | 22 d 8 h 32 min 45 s |
| @theprophet0 | 3 | 26 d 0 h 3 min 30 s |
| @hien-tran | 1 | 37 d 0 h 28 min 39 s |
| @instructor2121 | 6 | 46 d 8 h 1 min 9 s |
| @jacobts | 1 | 48 d 7 h 57 min 15 s |
| @zhuvazhuva | 4 | 74 d 13 h 10 min 51 s |
| @jl777 | 2 | 149 d 21 h 5 min 45 s |
| @crypt0 | 1 | 280 d 12 h 20 min 48 s |
Posted before POST and changed after POST
Table sorted in ascending order of memo key posted:
| User | Memo key posted | Key changed |
|---|---|---|
| @alao | 2016-07-11 15:50:06 | 2017-06-11 17:44:57 |
| @saramiller | 2016-09-14 20:54:27 | 2017-06-07 17:26:06 |
| @mrgreen | 2016-10-01 11:19:33 | 2017-06-12 13:48:36 |
| @lichtblick | 2016-10-10 05:48:15 | 2017-06-07 15:43:03 |
| @tomino | 2016-10-27 10:55:51 | 2017-06-12 16:17:27 |
| @trump | 2016-12-19 02:05:45 | 2017-06-08 12:40:15 |
| @marionjoe | 2017-03-23 12:23:36 | 2017-06-11 15:08:48 |
| @steemshop | 2017-04-22 02:28:21 | 2017-06-09 10:52:54 |
| @kingofdew | 2017-05-07 21:50:09 | 2017-06-12 13:48:36 |
| @worldclassplayer | 2017-05-09 09:08:39 | 2017-06-10 22:49:18 |
| @wthomas | 2017-05-24 21:57:30 | 2017-06-07 21:01:03 |
| @golgappas | 2017-06-05 17:12:30 | 2017-06-09 17:01:57 |
Table sorted in ascending order of key changed after:
| User | Times used | Key changed after |
|---|---|---|
| @golgappas | 5 | 3 d 23 h 49 min 27 s |
| @wthomas | 1 | 13 d 23 h 3 min 33 s |
| @worldclassplayer | 5 | 32 d 13 h 40 min 39 s |
| @kingofdew | 7 | 35 d 15 h 58 min 27 s |
| @steemshop | 1 | 48 d 8 h 24 min 33 s |
| @marionjoe | 4 | 80 d 2 h 45 min 12 s |
| @trump | 1 | 171 d 10 h 34 min 30 s |
| @tomino | 1 | 228 d 5 h 21 min 36 s |
| @lichtblick | 15 | 240 d 9 h 54 min 48 s |
| @mrgreen | 2 | 254 d 2 h 29 min 3 s |
| @saramiller | 1 | 265 d 20 h 31 min 39 s |
| @alao | 1 | 335 d 1 h 54 min 51 s |
Posted after POST and changed after POST
Table sorted in ascending order of memo key posted:
| User | Memo key posted | Key changed |
|---|---|---|
| @deividas | 2017-06-10 00:19:15 | 2017-06-10 21:41:24 |
| @lulzim | 2017-06-11 14:22:00 | 2017-06-11 15:08:48 |
Table sorted in ascending order of key changed after:
| User | Times used | Key changed after |
|---|---|---|
| @lulzim | 3 | 46 min 48 s |
| @deividas | 3 | 21 h 22 min 9 s |
Posted before POST and not changed
Table sorted in ascending order of memo key posted:
| User | Memo key posted | Times used |
|---|---|---|
| @onighost | 2016-07-09 22:17:36 | 4 |
| @kakradetome | 2016-07-13 23:45:09 | 11 |
| @vovaha | 2016-07-15 21:59:48 | 1 |
| @niliano | 2016-07-19 12:16:45 | 2 |
| @farinspace | 2016-07-19 14:02:24 | 1 |
| @francoisstrydom | 2016-07-19 14:17:33 | 2 |
| @qamarpinkpanda | 2016-07-29 14:12:09 | 1 |
| @pinkisland | 2016-07-29 14:18:15 | 2 |
| @romanskv | 2016-08-06 23:53:30 | 1 |
| @slimjim | 2016-08-07 19:12:00 | 1 |
| @malyshew1973 | 2016-08-08 01:13:39 | 1 |
| @athleteyoga | 2016-08-11 02:28:12 | 11 |
| @murat | 2016-08-12 08:34:45 | 1 |
| @rawmeen | 2016-08-13 08:57:00 | 4 |
| @tee-em | 2016-08-20 19:30:45 | 2 |
| @smisi | 2016-08-22 13:16:03 | 3 |
| @lostnuggett | 2016-08-23 16:21:15 | 2 |
| @dollarvigilante | 2016-08-31 02:10:45 | 10 |
| @cryptoeasy | 2016-09-07 10:54:00 | 1 |
| @iaco | 2016-09-28 17:59:18 | 1 |
| @richarddean | 2016-10-27 13:33:24 | 1 |
| @leesmoketree | 2016-11-11 21:42:54 | 37 |
| @luani | 2016-12-12 02:48:15 | 1 |
| @nikolad | 2017-01-21 09:57:00 | 2 |
| @colombiana | 2017-03-20 17:14:39 | 1 |
| @beeridiculous | 2017-03-22 09:01:21 | 1 |
| @norbu | 2017-04-03 10:44:24 | 3 |
| @inphinitbit | 2017-04-18 06:27:24 | 2 |
| @maxfuchs | 2017-04-18 15:34:48 | 1 |
| @sraseef | 2017-05-02 18:17:45 | 1 |
| @surpriseattack | 2017-05-09 05:22:03 | 1 |
| @churchsoftware | 2017-05-10 21:19:48 | 1 |
| @thunderberry | 2017-05-11 19:03:15 | 2 |
| @hithere | 2017-05-14 11:09:21 | 3 |
| @walcot | 2017-05-14 19:17:36 | 2 |
| @bryguy | 2017-05-17 06:34:48 | 2 |
| @mama-c | 2017-05-18 17:26:45 | 1 |
| @blockiechain | 2017-05-19 02:42:33 | 1 |
| @theofphotography | 2017-05-20 10:46:36 | 2 |
| @writemore | 2017-05-20 16:55:12 | 1 |
| @nathanhollis | 2017-05-22 15:51:33 | 3 |
| @jellos | 2017-05-26 08:35:45 | 2 |
| @coincravings | 2017-05-29 09:36:51 | 2 |
| @chuckles | 2017-05-29 10:39:57 | 1 |
| @amrsaeed | 2017-05-31 18:10:15 | 1 |
| @dethie | 2017-06-03 03:42:51 | 1 |
| @goldrush | 2017-06-03 10:10:00 | 2 |
| @bloodhound | 2017-06-03 16:33:45 | 2 |
| @datkrazykid | 2017-06-04 04:08:42 | 1 |
| @mkultra87f | 2017-06-06 14:21:00 | 1 |
| @lopezro | 2017-06-06 17:32:03 | 1 |
Posted after POST and not changed
Table sorted in ascending order of memo key posted:
| User | Memo key posted | Times used |
|---|---|---|
| @cryptowaffles | 2017-06-07 19:12:39 | 1 |
| @webwizards | 2017-06-09 12:00:09 | 1 |
| @bitlamb | 2017-06-10 12:07:00 | 1 |
| @aresmari | 2017-06-10 17:10:33 | 1 |
| @dancingstar | 2017-06-11 01:37:03 | 1 |
| @dattabitcoin | 2017-06-13 02:50:42 | 1 |
| @wakeupworldnews | 2017-06-15 12:39:06 | 1 |
| @gbonikz | 2017-06-15 14:50:21 | 2 |
| @chrizbiz | 2017-06-15 20:16:12 | 1 |
| @gary911 | 2017-06-16 05:36:45 | 1 |
| @hingedthomas | 2017-06-16 11:07:39 | 2 |
| @edie84 | 2017-06-16 13:38:36 | 1 |
| @brandonas | 2017-06-16 14:08:03 | 2 |
| @imccormick82 | 2017-06-16 15:24:03 | 1 |
| @marshallevans | 2017-06-16 20:13:12 | 5 |
| @rottdean2 | 2017-06-16 21:43:12 | 1 |
| @sandman1923 | 2017-06-16 22:31:24 | 1 |
| @cwrz1976 | 2017-06-17 02:55:09 | 3 |
| @murtazasyedm | 2017-06-17 18:37:42 | 2 |
| @elfictron | 2017-06-18 14:02:36 | 2 |
| @big-ginger-fuck | 2017-06-18 23:30:57 | 2 |
| @acarl211 | 2017-06-19 02:52:06 | 2 |
| @neilism | 2017-06-19 02:56:33 | 1 |
| @d-pend | 2017-06-19 17:27:12 | 2 |
Can I help?
After publishing this post I’m going to send every user with not changed key a minimal SBD transfer with a link to this text and information CHANGE YOUR PASSWORD. I hope this will work and at least some of those users will change their keys.
I’m going to keep an eye on keys updates and after a week or two data will be gathered to create new statistics.
What is Memo?
But there is also a second issue that I would like to talk about. Public keys and how users use them as a habit in the wrong places. By wrong places I mean mostly Memo Fields when withdrawing Steem and SBD from markets to Steemit.
I’m going to use Bittrex as an example. I was sending 1 SBD to my Steemit account.
And I received it like this (problem with apostrophe):
I did it to show you that every Memo Field is public. All that info can be found in your Wallet. If you write something in Memo Field during transfer from market to Steemit it will stay in blockchain forever. And sooner or later somebody is going to see that and maybe even use against you.
BECAUSE MEMO FIELD IS NOT THE SAME AS MEMO KEY.
Memo Field is a place for any information you want. It’s a place to write something like My daily update 2017-06-21 or Gift from aunt Betty. This field is for you.
All keys can be found in your Wallet and then Permissions. Those long strings of characters should stay in that place if you don’t know what you can do with them. And Memo key, as you can see, is used to create and read memos.
Public keys
I’m talking about all of this because if somebody used at least once a public key in Memo Field, there is a possibility that next time maybe for mistake user will paste private key. And that’s not good.
There are a lot of tutorials on Steemit with incorrect information. People read them and they make the same mistakes. Here are some the most popular posts that can be found using Google:
You know how many users used public key at least once to transfer Steem and SDB?
| Transfers from | Number of users |
|---|---|
| @bittrex | 743 |
| @blocktrades | 13 |
| @changelly | 46 |
| @freewallet | 18 |
| @openledger | 19 |
| @poloniex | 1053 |
A lot of them. And there are more than 300 transfers between users!
The best part - many people after the first transfer with public key assume it’s the only good way and they duplicate this error over and over again.
| Public keys used | Users |
|---|---|
| 89 times | @lightsplasher |
| 74 times | @mctiller |
| 67 times | @murat |
| 63 times | @vortac |
| 61 times | @judasp |
| 54 times | @paws1t1veev |
| 51 times | @asim |
| 47 times | @royalmacro |
| 46 times | @asmolokalo |
| 44 times | @nxtblg |
| 38 times | @sflaherty |
| 35 times | @takertrade |
| 34 times | @mynameisbrian |
| 31 times | @surfyogi |
| 30 times | @btcshare7 @cqf @carface |
| 29 times | @catulhu |
| 28 times | @dreemit |
| 27 times | @coininstant @steemvest17 |
| 26 times | @laonie |
| 25 times | @jl777 @marco-delsalto |
| 23 times | @exploretraveler @sneakgeekz @mixa @otisbrown |
| 22 times | @politicasan2 @urbanoid @jol @tradz |
| 20 times | @helikopterben |
| 19 times | @me-tarzan @claudiop63 |
| 18 times | @cardboard @henry-gant @addicted |
| 17 times | @gigafart @btcbtcbtc20155 @sandrino |
| 16 times | @snubbermike |
| 15 times | @jerrybanfield @manoami @scotty2729 |
And here comes bigger numbers:
| Public keys used | Users |
|---|---|
| 14 times | 6 users |
| 13 times | 6 users |
| 12 times | 11 users |
| 11 times | 6 users |
| 10 times | 17 users |
| 9 times | 18 users |
| 8 times | 29 users |
| 7 times | 36 users |
| 6 times | 53 users |
| 5 times | 64 users |
| 4 times | 88 users |
| 3 times | 198 users |
| 2 times | 454 users |
| 1 time | 620 users |
If you want to know more about public and private KEYS on Steemit - look at @noisy profile.
If you like this text - please follow me!
Good job !
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Just recieved your warning in my wallet will send you some steem back as appreciation!thanks buddy!!!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thanks! And watch out in future :)
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Nice! I made the "most compromised public memo key list" woot! woot! Nice to be number one at something, LOL. ;)
Thanks for the good information! This subject is confusing. I'm not particularly worried in my case since the memo field is not used by much yet and all the memos are publicly available at this point. However, if the private key was compromised I would be more concerned.
My memo's aren't particularly juicy or interesting but now that I know this information perhaps I can get a bit more creative with them.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
But if there (settings, permissions) would be in some mysterious way private key instead of public would you see that when copying and pasting?
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I respect so much, man.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Hi, i did changed it the same day that i used it, thanks anyways for the info!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thank you very much. I got your message and changed it. God bless and take care 😊
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
You listed me, but I have never transferred with MY memo key, only the one provided by an exchange. Don't care about that one, that's their problem.
(I did use my memo key a long time ago, but it was pointed out to me then not to do that and I changed the key asap).
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
You have used your private memo key 8 times before changing it (9 d 0 h 0 min 6 s after first time used).
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Yeah that should be from many months ago. It was @anyx who brought it to my attention that this was something I should not use.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I see lot of work you put in this post.
Thenks for info, and for remind how importent keys are.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Awesome post and great you have alerted the compromised accounts.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Man, I really appreciate this information. The only thing I'm a bit confused about is how to change the keys? I only see an option to change the master key (password,) or does that change all of the keys?
Also I'm assuming from this post that you don't recommend using any of the automation services like Streemian that require your key permissions to operate?
Again, thanks for the valuable information.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
If you change the master key, all others would be changed as well.
You can use other Steem Aps and your key to log in, but don't put it anywhere where it will become public.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Ok. I'm really grateful to know this information. I am four days here on Steemit and I read one of those incorrect guides that you listed above saying to paste the private memo key in the transfer. Have you talked to the creators of those tutorials? They're quite harmful for newbies that don't know any better, and I bet the authors would edit their posts if you reached out to them. Thanks for looking out for other Steemians my friend
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thank you very much. I was not aware of. Changed the password, something else needs to be done?
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Nope, that's all.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thank you)
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thanks @lukmarcus for this article. I think I read on of those Steemit articles you listed and I thought I was doing my transfers into Steemit correctly. Thanks for enlightening us on the fact that the Memo field is a note field, not a field for my Memo Key. Keep up the good work!!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
The NSFW setting is stored in Local Storage of web browser. This way I can have it enabled at home and disabled at work. That's nice :)
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Much love man, thank u
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Congratulations @lukmarcus! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Click on any badge to view your own Board of Honnor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOPBy upvoting this notification, you can help all Steemit users. Learn how here!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
What's wrong with using public keys? Aren't public keys already available to the public?
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
They are available to the public, yes, but most people simply paste them into MEMO field without thinking and if there would be a private key, they would also paste it.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
True that! I was talking to someone who had pasted the public memo key into the memo field and when I told her why did you do that? She said she wasn't sure and she was going to paste the private memo key at first. To be honest, I think the dev team here is to be blamed. Why choose the same name, that is "memo" for two completely different fields? One that is public and one that is meant to be private?
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit