Third Update to July 14th Security Announcement - Account Recovery Begins

in steemit •  8 years ago  (edited)

Steemit is proud to announce that account recovery is now available for community members whose accounts were compromised during the July 14 hack. To recover your account you will need to complete the following four steps:

  1. Click the "Account Recovery" link at the bottom of this update.
  2. Enter your old Password.
  3. Login via Facebook, Reddit, or provide your email address.
  4. Enter your old Password again, and then provide your New Password twice.

If you logged in with Facebook or Reddit your account will be immediately restored. Steemit will contact everyone else with additional confirmation instructions.

Steemit will be unable to recover your account unless you know a password that was valid within the past 30 days.

Please note that due to our implementation of enhanced blockchain security, new passwords must be 32 characters long. Ensure you use a combination of upper and lower case letters, numbers, and symbols. We recommend using a password manager (pcmag.com).

Returning Stolen Steem and Steem Dollars

The Steemit team is finalizing its analysis of the cyber attack and determining exactly how much Steem and Steem Dollars were stolen from each account. Once we have completed the full account of lost tokens, we will reimburse every compromised user as promised.

Thank you all again for your ongoing patience and commitment to the Steemit community as we process your requests. We are profoundly grateful.

Start Account Recovery

-- Ned

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Thank you for pointing out the need for a good password manager. Some of my friends think the world isn't ready for public/private key encryption on a mass scale, but I like to remind them how at one time many saw email as too hard. Now it's second nature to just about everyone. Internet users can and will skill up and hopefully Steemit will help. If we want to build the economy of the future, we have to up our game, including the latest security updates on our computers, up-to-date anti-virus software, and a good password manager. Let's lead the way to the future economy.
Steem on.

This is a 2nd chance. Don't f up. Change PW and use something secure mix of up and down, special chars etc. Write it down and store it somewhere safe. In support, you wouldn't believe the amount of people that forget their passwords and can't recover their accounts because they didn't set up recovery questions or kept a copy somewhere safe.

If human beings are coming up with the passwords instead of a good password manager, they are already at risk. But yeah, password security is hard. (Cue XKCD post here...)

  ·  8 years ago (edited)

Its nice though not to be as worried about it as much as other cryptocurrencies, as long as most of your Steem is in Steempower. :)

I don't think I've ever used the word "as" 4 times in two
sentences before.

5 times.
(And in 1 sentence. :D)

As one who has seen many exchanges get hacked, I completely agree. As we move forward, we have to act as if we're our own bank.

(dang it, only got 3 "as")

I don't think I've ever used the word "as" 4 times in two sentences before.

If they are using the web interface, the web interface could "cut" easy to guess passwords by requiring long password at least X chars, containing symbols, numbers, letters, caps, etc.

Haha, that's true, buddy. :)

  ·  8 years ago Reveal Comment

I think a piece of hardware like the Ledger Blue wallet will have to become widespread as the crypto age ascends.

I am going for a 256 characters password! Just to be sure.

Perfect comment! We do need to step it up, I feel like a bimbo because I assumed I wouldn't get hacked.
Then I did...

Lastpass with yubikey has been amazing for me. Makes 60+ character passwords no problem.

I went through the process but can't login via the Owner keys to change my passwords...Is that intentional?

Yep! You must login with your posting key first and then go to permissions page and click to "change password" then they will ask for owner key if you want to change it.... They just want to be sure nobody logged in with owner key and are browsing steemit's content! And that is fabulous!

I'm somewhat confused, I restored my account and logged in with the new 32+ char password, but all I see in the permisions tab is this...

Posting Key ===>>> Show Private Key
Active Key ===>>> Login to Show Private Key
Owner Key ===>>> absolutly nothing!!!

am I supposed to login again(second time) with the new 32 chars key?

and most important of all, do I need to change the owner, active and posting keys or the restore function did this for me already?

Thanks

All keys changed with the restore function. Next time login with the posting key for extra security!

https://steemd.com/@chryspano/~owners

  ·  8 years ago (edited)

I like more keepass and it is really free, and more than that: it is open source (OSI certified). http://keepass.info/

I use keepass too, but a lot less as I moved to doing a lot on mobile. Has keepass made it easy to use on Android?

Thanks for all the hard work. It appears I'm back. I know the devs worked day and night. They deserve bottles of champagne. Or Mountain Dew, as I can't picture a dev drinking champagne for some reason.

I pictured them with Red Bulls. :D their veins flowing with 50% energy drinks until the security is up to speed. :)

Hey, thanks again guys for your hard work!!!
I've recovered and changed my password.
Side Note...
You stated that "New" passwords will need to be 32 characters. Is this mandatory or a suggestion???
I bring this up because my new pass is 28 characters and the system allowed me to keep moving forward with it. So if it's suppose to be mandatory you may want to look into this?!!
I'm going back and changing my, now that I've read your post.
Thanks again @ned and @dan

This is a HUGE deal. The fact Steemit was able to resolve the issue of accounts being hacked and return them to their rightful owners in a relatively short time span makes me feel much safer about continuing to invest and use steemit

So much quicker than "ethereum soft fork, okay lets try white hat attack, okey lets just hardfork".

I agree.

What does that mean for people not affected by the hack, who managed to have there owner key cold/offline and don't need/want a account recovery option via steemit.com?
I noticed the field "recovery_account": "steem" in my account data (not sure if it was there before the fork). Is that the account that can recover my account and can I remove that or switch that to a 2nd account I (or a person I trust) control?
Not to be skeptic of steemit team or something, really love what your doing here! I'm just curious about how things work and my options.

Hi that is the friend factor / trustee element of Steem. It has no authority to take ownership of your account, however, it cane used to identify you and help with disaster recovery in the case of a hacked account. It's described here: https://steemit.com/blockchain/@dan/steemit-releases-groundbreaking-account-recovery-solution

Thanks, I some how seem to have missed the main post about the recovery mechanism.

Love all the work you all are putting into this. Revolutionary for sure.

lost ownership of account. all I did was reset password. tried recovery it said password not used in last 30 days. i used it every day. please help

Yes, thankfully accounts that were hacked can be restored now.

Good luck devs!

It worked!!!! I'm back!!!!

Awesome! If you want to cash out any of your $740 steem dollars, it might not be a bad plan so you don't lose it all if you get hacked again. Write-up of steps lives here.

trevon nice!!!! good luck man been watching your vids A++++++++++

Good to have you back brother i remember when i first saw your videos youve come a long way in a short space of time well keep up the good work

Finally no more whining in #general! :p

@Ned/@Dan right about now.

@dan and @ned: do I need to hit the button 'change passwords' to change all the keys? I recovered my account.....this part is not clear to me.

Ok good, it appears you are back in, and the password change updated all of your keys.

not so clear to me either. i recovered the account and have a new master password but once thats all done do we go and change the rest of the 3 keys as well, posting active and memo?

You can, however, there are more security measures in place now.

@ned dude thank you for everything

yup I second that @ned, thanks. You guys saved my account!!

Could you please elaborate on how one can change the posting brain key and perhaps print the private owner key? Thanks!

Under permissions, one can choose the pencil icon for changes, and the key can be copied to a text file for printing.

Thanks @ned, but there is no pencil icon anymore. Before the hack I remember seeing the pencil icon after pressing the bold black text to login... Now there is a blue button to login or show the private key on the right side of the keys... but it is not possible to show the private owner key anymore like before... and it is not easy to use steemit with the posting brain key being the same like the owner brain key...
I pressed the "change password" button below which changed all the keys... but still I do not get the options like the pencil... the security team seems to have changed this permissions page...

It is the same situation for me. The account recovery process seemed to work but there are no icons next to the private owner key, which makes me unsure if I am actually logged in as the owner or not since I see no way to change only the owner password. I am not sure if I should use the "change password" option again? The last time I did so, I still did not see any pencil option or any way to change only the owner key. I'll watch the site for answers/updates, thanks!

Thats correct, one password change on the Steemit GUI will now change all four keys. A user may manage each of the four keys outside of Steemit or using his/her password manager, such as Last Pass. Combined with 'Compromised Account Recovery', the single 'Change Password' is a balance between secure key management and usability. We'll be publishing and pinning more info on Steemit GUI's security and password manager in a post.

Really 32 characters eh? That’s going to make it hard to remember.

  ·  8 years ago (edited)

I'm tearing my hair out. YOU AREN"T SUPPOSED TO REMEMBER IT.

Repeat after me: If you can remember your Steem password, you will almost surely get hacked!

To Steemit devs: you need machine generated passwords. You cannot trust regular users to do the right thing. You need to force their hand. Damn the user adoption hindrance. It is the moral thing to do.

Good point, but i actually don’t trust machines. I’ll add all my pets name together and make something from that..lol

My pet is a parastratiosphecomyia stratiosphecomyioides.

What do you usually do to remember stuff?

Do that.

keepass can remember it for you....

Awesome work guys! Now get some much needed sleep :-)

CG

This Steemit team is really awesome!

Congrats on a breakthru differentiation and congrats again on staying in front of your customers. Awesome product and service!

I did not get my account compromised but i got my SBD and Steem stolen so I hope I get everything back. Thanks ned and dan for taking care of us steemers.

  ·  8 years ago (edited)

Hi, if your tokens were stolen and no keys were changed, then you must update your owner and active keys immediately for us to look into possible theft.

Upon examination, it looks as though your account is compromised. You will need to go through the account recovery process immediately. Thanks for your cooperation.

@ned, Sorry for hi-jacking this comment. I'm also an account with lost funds, I've reset my password and recovered my account. Is the refund automatic, or do I need to do something?

Wow, I saw a few days ago that you were working on this solution...and in my opinion you've delivered in quick fashion. Make these new passwords strong and don't lose them.

yes @blackjincrypto account is back thanks @ned

This is how things should be done.

Dear: @Ned, "steem" CEO of Steemit
You must pay back the steem power that I've lost because your system has caused. You pay for me, because you were defending the interests of the Steemit community
@Ned, "steem" CEO of Steemit. I am waiting for your reply.
https://steemit.com/steemit/@tonyson-ned/ned-steem-ceo-of-steemit-you-must-pay-back-the-steem-power-that-i-ve-lost-because-your-system-has-caused

It would be righteous if you could setup a 2 or 3 factor authentication that would allow any user to roll back any transaction if all of the factors are met. This would exclude a escrow type, or have a time period - a claw back of sorts.

We all know the blockchain is not immutable, if you do not want it to be...

2FA should have been implemented from the get go.. No we need to fix all security issues and stop the cheaters.

Does anyone know why steemit has the only wallet on the internet that does not offer 2fa? Is there some sort of technical limitation that I am unaware of here?

I'm not sure if and how classic 2FA would work her. As I understand it steemit.com is just front-end for the blockkchain and does not handle classical user accounts and authentication on server-side.
You basically enter your private-keys (or the pw to create priv-key from) in your browser and then sign transactions (like upvote, post or steem transfers) with that key in your browser.

In a way it already has sort of a multifactor-auth with the role specific keys,.. just remove the owner and action key from your browser and the worst thing that could happen if you get hacked is someone posting/upvoting with your account, but no steem transfer without owner/active key. I even put my posting key on my mobile, which I normally not trust with cryptos.

very fast,Dpos is grait.

And yet again more proof steemit isn't slowing down anytime soon.

Agree! We will be dashing for the moon. ;)

YES!
It worked. Just recovered my account.
Thanks so much to the team!

Hello everyone. I just wanted to thank you all for creating this great community and wanted to mention my own efforts into making it the best: http://steem.ly/f We created a shortening service dedicated for steem! @doyourpart

Awesome, thanks @ned for the update and new tools!

  1. When you say "new passwords must be 32 characters long":
    Is this the minimum length or the maximum ? If not, what is this maximum length ?
  2. Can anyone spell out what the exact allowed character set is for passwords generation ?

Min length. Going forward we will actually be enforcing full private keys as password.

  ·  8 years ago (edited)

Woowhoo! I'm back. Thank you Ned and team for the hard work, and the blazing fast communication!

Never had a doubt in my mind! Lets get those accounts recovered and backed up!! Thanks again to the Steem Community!

This is how we do It! Great! Good job stuff! TO THE MOOON!

Good job @ned and co. This will be really good news for adoption! Just like with ethereum you took care of the hackers and fixed everyone's accounts! Awesome!

Or when mt gox lost 880k btc and then everyone got it bac .. oh wait, nevermind.

I wonder how many private keys he has forgotten in jail.

  ·  8 years ago (edited)

I have to say I'm surprised by the professionalism and support from the Steemit team, its better than I could have ever hoped for! If it remains like this I see a bright future ahead of us for everyone!
Great job @ned and the others! I can't wait to tell more people about steemit! Was even planning on putting an article in my local paper this week, will make sure to do so now! :)

thanks but a lot of passwords to 32 characters so far this safe.. thank a lot and fanie is back :)

Fantastic work and awesome updates during this entire time. I know I'm just a "fish" amongst several whales and dolphins, but wow.. I'm addicted and I'm in love in Steemit.

Amazing!

and two-factor authentication when do?

deleted comment

love this company! All about that blockchain.

Worked great thnx. 3 Cheers for Ned! :)

Ned - next time you need to post an update, we can totally use my account.

Now you guys are just showing off, nice speedy work gentleman.

Loving your work.

Can i recommend using the login App called CLEF ?
It resists keyloggers at least, since you are not typing while logging in.
And it's a changing algorithm so it is a 2 Factor Authorisation by defaut.
It's also easy for a site to provide it as an option alongside normal login.
Look it up: https://getclef.com/

sounds pretty easy for me. Good job at the steemit Team!

Thank you for the update! What about owner's private key? Is it still not available? Are transfers not possible yet?

Here's another good password manager I've been using for a while and really like - https://lastpass.com

also if you don't have an add blocker - Get One ! It Will Change Your World - adblockplus.org

LastPass is a great option, but another lesser-known one is SuperGenPass.

What would be truly fantastic, though, is if Steemit implemented SQRL. This password-obviating authentication mechanism seems to me to be best of breed: powerful, secure, with contingency plans if you lose your keys, etc.

Are there still problems... ? https://steemit.com/steemit/@iamwne/steemit-again-has-outtages. Is there still a security problem or DDOS?

Great Support for us !!!!
thank u steemit :D

Thank you!

i have a problem . i sent my steems wrongly with wrong memo ( my steemit memo to poloniex ) so how i recover my steems ? from steemit side or poloniex side i have to seek solution ?

Why not add 2FA?

It would be great to add Steem in hardware Trezor Password Manager

Great post :)

great news 8]

I was able to recover the account in this way.

Tried to recover my account, @mynameisbrian, and the passwords I have in my password manager are all failing. It says I haven't used them in the past 30 days, but I have as I've only been around a week or so. Anyway, I sent you guys an email regarding the issue. Based on what I read above it seems I am SOL. Feeling dejected :(

Hi fungal, we will look into this with you. I have your email and have it is being discussed in the office. Thanks for your patience.

  ·  8 years ago (edited)

Thanks for looking into it @ned

I forwarded an email to you with this info. I am now able to make it pass step 1 of the recovery process, but step 2 fails with this error:
Error: 10 assert_exception: Assert Exception found: Recent authority not found in authority history ...

I've been using this new account, but dang it's frustrating not having accessing to my original account (and it's associated SP).

Has anybody else experienced a similar assertion error in the recovery process?

I register via facebook, what I do not need to do anything ?

good news

This is incredible, and addresses one of the biggest problems with crypto: no customer service to bail you out. Every time I think Steemit has won, they move the goal posts and kick it harder. Excellent work!

Cool update!:) Thanks guys!:)

good news

Maybe it is necessary to add in addition two-factor authentication?

luckyly i only have account with low balance its mean i does not really worry thats my account will get stollen

I don't have any SteemDollars only SteemPower, should I or anyone else that made a Steem account prior to the attack change their passwords?

I cannot log in with my other compromised account... I have the private owner key and I know my posting password and owner password... It says the password was not used in the last 30 days, but this is not true. I do not see any old keys in "owner key history". My private key was overridden by the hard fork a few days ago!? Please, what can I do? Thanks!

Please contact us and we will certainly be able to recover it.

Thank you Dan!

can I use the old private owner key i printed out as the password?

I mean the one in WIF format....

Yes

@vidanocturna, once the pw is updated across your keys, you can then create new keys on the permissions page of your account

Thanks Dan, one question, I cannot print out the owner key anymore, and I cannot define different brain keys for each type of key like before. If I change it in the "Change password" option it says that it will change all the keys at once. So not sure if I can save the posting brain key in the browser as it is the same brain key as the owner brain key...

  ·  8 years ago (edited)

I recently wondered what happened to my account bu328281. It has over 2 million VESTS and some STEEM in it. I just didn't have the key to it in my wallet. Spent some hours searching for the key, but nothing.

What happened?

Right after the hack was made public I changed the account info - just to be safe - and what happened? It seems my account got listed in the "hacked" accounts in hardfork 9, and access to it was taken from me. It was never hacked! You just decided it was based on some assumptions.

This is not something I expect form a trustworthy blockchain-based currency, and I expect the developers to return the funds they stole from me immediately.

I am sure they did some type of algorithm on how the hack happened in the first place, so they changed your keys to be on the safe side. If this was the case, just go through the recovery process, and it should be fixed. Please confirm with @ned or @dan .

I'm kinda pissed because I didn't know what happened. I thought I messed up the key change and spent hours searching for the (not existing) key. A little note, for example on the steemit.com account page would have been great.

How we would not want to upvote this post? It's amazing to be part of a great community where everybody care. Thks for all the great work and the security enhancement features.

  ·  8 years ago (edited)

, pw rec workedSweet

We are looking into this, make sure your memo key is also unique. It appears our checks are yielding some false positives.

Should accounts that don't seem to be compromised go through recovery?

No. They should just use password update

Thanks! Im happy

@Ned @Dan

Great to see a quick response and your ability to provide these tools to help out a few early victims.

Can you clarify this question for me and the community ... Where are these replacement tokens coming from?

Did you confiscate them from the hacker ?
Did you buy them on the market?
Did you donate them from your own personal suplly?
Did you let the new steem faucet create these as new?
Or maybe there is another clever way you came up with.

Thanks

All STEEM from the faucet is our own STEEM. All tokens to be returned will come from our own accounts.

@ Dan.

Thanks for the quick reply. And thank you for the supply from your own accounts

What is the available supply in the faucet ? I looked through the white paper but could not easily determine this.
I hope this not happens again, but could your account supply satisfy any future reimbursements in case of other attacks ? Is there a threshold limit ?

Would it not be better to make this a zero sum game ? Use Steem that is bought back from the Market and instead of generating new extra crypto tokens ?

This seems like the government printing money in case the central bank gets robbed.

Can you elaborate your views on this ?

Thanks

@bartcant Thanks for posing these questions. I mean, it's great that the hacked accounts are getting their money back, but the process by which this is done should be made transparent.

  ·  8 years ago (edited)

I think the record would be shown on
https://steemd.com/@steem
https://steemd.com/@steemit

"All STEEM from the faucet is our own STEEM. All tokens to be returned will come from our own accounts. " Dan said. With these replacement tokens, you can check it at transfer history?

Thanks @chamviet.

Can you post a link to the Transfer history ? Maybe an example can clarify and give further transparency
How / When did the Faucet account total get created ? It is not clear from the whitepaper
Is that that the threshold limit in case of future attacks and robberies ?

Thanks

WOW that was fast. And keeping your promise to reimburse is the right thing to do! Keep it up!

This team is ridiculously pro active im glad to be part of this! You guys just never stop we never get left without updates. Great job and keep it up!

Even though i was not compromised, it goid know that the is proactive in making sure its users are whole. It was an expensive bug bounty but it makes the system nore solid.

High quality customer service. I've always been worried about decentralized monitoring and this has brought faith back into the world of Crypto. World of difference from the cryptsy hack.

Now THIS is how you handle recovery from a hack, and restoring confidence in users. Great job! Steemit has passed its first major PR test with flying colors

Thanks to the whole team for all the hard work! Those were some skillful maneuvers! Well done! :)

+1

  ·  8 years ago (edited)

Thanks for the transparency and engagement.

Superb work as always! This will make some very happy steem people!

Awesome!

The dev's are stars, "soldiers in the trenches"....thank you for your service to the community!!! Thank you Ned for your leadership.

For some reason i still can't see the owner key in my permissions page. There is no option to show/hide. Why is that?

Well done Ned,

I really like how you are professional. At the moment I am only at the beginning but I would like to grow up with you guys.

Regards

big thanks to all steemit members

Similar to SP, SMD tokens cannot be purchased directly on an external exchange. SMD are primarily earned through contributing but can be purchased by converting STEEM tokens to SMD tokens.

Actually Steem Dollars can now purchased on external exchanges !
https://poloniex.com/exchange#btc_sbd
https://bittrex.com/Market/Index?MarketName=BTC-SBD

PS Abbreviation of SBD = Steem Backed Dollars
or just SD = Steem Dollars (not SMD please edit)

Thanks for bringing my account to home!!!! my founds are there and also I did a post that gave me 0.15Lol great! this shows how professional and amasing you are guys! looking forward to spread the steem world!

Never loose your keys again! Store them safe after your recovery in the Steem Wallet:

wallet
https://steemit.com/steemit/@mauricemikkers/the-first-3d-printed-steem-product-bringing-the-3d-community-to-steemit

should i recover my account when i dont know if i were compromised?

This is so bloody awesome blockchain security! I remember sending my first Bitcoin thinking "will it really work?" And encrypting everything with GPG. Now we have named accounts (thanks Bitshares), and account recovery, and reimbursement if you get hacked.

Glad to hear you guys are taking care of the people who were affected!

Recovered account! thanks to @Ned and the people working behind the steemit scenes! :-)

oh thank goodness, God bless!!!

now... when we log back in automatically - will this be under the "Owner Key?"

looking at the permissions page - nothing next to owner key; says "show private key" next to private key, and "login to show" next to active key...

would we immediately want to login to show the active key and change the password on it - then use THAT password to login from from thereon in?

Curious to see how all of this plays out.

@ned I bet you do the crossword puzzle in ink. Thanks!

My account wasn't hacked but because I have been locked out of using my owner key for a few days I cannot confirm that I have not stuffed up my key.
I assume that this service will be available later for poor sods like me :)

check steemd.com/@startrek99 to see if your owner key was maliciously changed. Unfortunately, we'll never be able to recover lost passwords.

thanks for the update

Hello guys, I just wanted to ask where can I change my steem password. I tried the link on this post but it will only accept those accounts that were hacked.

LastPass FTW

This is great! Most who couldn't login are probably relieved by this update.

nice posting