Utopian.io Hack - May 3rd - May 4th 2018. No Wallets Or Keys Compromised.

in utopian-io •  7 years ago  (edited)

Due to a recent attack on Utopian services, flaws in our system have been exploited, allowing for full disruption of one of our main production servers and partial loss of data.

utopian-post-banner.png

[EDIT]

Rewards from this post will be donated to Busy.org / SteemConnect for their help in stopping the attack.

The Attack

The attack started yesterday. It was initially identified as a service disruption only, but it appears that wasn’t the case.

  • Our main production server was completely erased.
  • Our CDN, which contained files and backups, was erased .
  • SteemConnect Tokens were leaked from our DB and today used to bulk downvote/upvote random posts.

NO WALLETS OR KEYS WERE COMPROMISED OR WERE EVER IN DANGER OF BEING COMPROMISED DURING THE ATTACK.

The incident was resolved and all the tokens were permanently revoked.

Was my wallet or private keys compromised?

No. No private data was leaked and your wallet was not at risk at any point.

What can one do with a SteemConnect token?

Only basic actions like posting and voting, but never transfers of funds, delegations etc.

Can this happen again if I use SteemConnect to login another app?

The Utopian application database was leaked due to a successful hacking attempt on company servers. The leak was not caused by any security issue in SteemConnect and you are totally safe to use SteemConnect in the future.

For more information: https://steemit.com/steemconnect/@busy.org/automated-votes-abuse-on-steemconnect

Do I have to change my password?

No passwords or keys are stored by SteemConnect or Utopian. This attack does not demand you change your keys or passwords.

Is the issue over? Can my account be misused to vote random posts?

Yes the issue was resolved and existing SteemConnect tokens revoked. No other operations can be broadcasted with the leaked tokens.

Is the hacker or hackers responsible being traced?

We are making efforts to trace and investigate the source of the attack and are checking all possible leads. Working in cooperation with the team at SteemConnect, our hosting service providers, and making use of all available forensic tools, we hope to pinpoint the source of the leak and take legal action against the perpetrator.

What Now?

To ensure your account was not misused, and to undo whatever actions were taken with the use of your token, please go to https://steemd.com/@youraccount and check if any vote was broadcasted without your consent. If so, please revert the vote/downvote.

Within the next few days, we will publish interim guidelines on contributing to Utopian while we restore normal operations.

We thank you for your patience and continued support and apologize for any inconvenience caused.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

SteemConnect Tokens were leaked from our DB and today used to bulk downvote/upvote random posts.

Can this happen again if I use SteemConnect to login another app?
The Utopian application database was leaked due to a successful hacking attempt on company servers. According to the team at SteemConnect, the leak was not caused by any security issue in SteemConnect and you are totally safe to use SteemConnect in the future.

in case if anyone would like to revoke authorities given through SteemConnect, and if someone is afraid that now it has to use password/active or owner key on SteemConnect website to do that... here I described a way, how to revoke those authorities without using SteemConnect (with Python Steem):

https://steemit.com/utopian/@noisy/7nw1oeev

You still need your ACTIVE key to revoke it. Then change your password and keep it safe.

Thanks @noisy. As for this case all tokens were revoked and utopian.app proxy deleted.

yes. That is what I also said in my video :)

Don't want to rub salt in the wound, but shouldn't a huge project like Utopian, juggling with millions of SP and thousands of users, have a top notch secured servers? To me, there's no excuse for incidents like that.

You are very right @drakos they have to take care about that and they don't have any exuses because we trusted them our keys and hackers downvoted very powerful people from my account because of that, yes I removed the downvote, but what if I wasn't home ? What if I had a vacanccy or something ? Will I comaback after a few days and see that a flagging war started against me ? utopian have to share the reward of the post not just with busy and steem connect , even with those who was touched by this hack, I am working hard on steemit for about a year to take care about my reputation, not to be flagged because someone didn't take care about security, I used utopian a few months ago and I am not using it anymore because if their hard moderation, I forget to revoke them before, I hope that wil not happen with other platforms as well.

  ·  7 years ago (edited)

@drakos we had our servers secured and backups in place. Who did this knew where to act. We are verifying with those who had the possibility to work on our servers directly if there was anything that may have opened a security breach. Literally anything can be hacked. Today was our turn. We are not looking for any excuse. We have been plain honest on what happened here.

When there's no server handling tokens or keys, and that your website build is hashed and verified, then there's nothing to hack. Hackers would need to hack individual users.

@heimindanger we had background processes in place to broadcast actions required for our system to work on behalf of the users. Without having an offline token for that, I don't see how could we have achieved such functionalities. Do you have a suggestions for this?

I believe we shouldn't do operations without the users explicitely knowing about it. What type of transactions do you need for utopian where user consent is impossible?

A possible solution would be a mobile app and push notification. It sends a notification and asks user for approval and unlocking his key for forging the transaction. For example

  ·  7 years ago (edited)

@heimindanger we had a review system in place, where users could make a poll to verify the quality of the post and the final score stored in the blockchain for the original post, among with other similar functionalities. You can't just request for a user consent on every single operation that makes the site functional.

Arguably I have much less need for this type of 'server side' feature. A good example for DTube is the feature to schedule when your video gets published, I've received that one a lot.

Still I believe this ability from SteemConnect to create arbitrary tokens in the name of your users, and giving the power to these tokens to vote or comment or whatever, to be a security issue for the whole network.

So basically you edit the post and put some extra data in it, and for that you need access to the original poster account. You could do that without the user account by using a custom_json operation or inside of a json_metadata of a comment of the post (and using the @utopian-io acc).

  ·  7 years ago (edited)

Working with compromises is always hard. Any established social media platform has a solid Oauth system in place and we should focus on how we could implement the most secure and customisable tool, while not hurting the user experience. I believe there is room for improvements on that. Hacks happen everywhere and at any level, it is always a question of how you could minify the consequences. Obviously we were not ready for this.

When did you last have a penetration test against the web application?

That sucks. Good luck finding the culprit.

Saya tidak khawatir akan hal seperti ini, karena saya yakin @utopian-io mempunyai sistem keamanan yang bagus, semoga tidak ada newbie yang korban disini.

Utopian is giving flimsy excuses for their incompetence. I suggest everyone should change their passwords. Why allow another body who can't secure or encrypt your password on their servers. Why can't utopian use password salts and encryption. So it means they just stored the user's passwords on a stupid server?? I've looked at the utopian repo, it still has more stupid flaws and must be addressed

@doctorvee honestly you missed the whole point. No passwords are ever stored by any party involved. Everything is explained in this post. Thank you

You don't need to start telling everyone to start changing their passwords. You can if you want, Gho ahead but no passwords were compromised so this si just FUD your spreading now. Your comment seems like you just read the title and are just spreading fear for upvotes. Who told you ANYTHING about storing a users password on a "stupid server" haha who runs tyyhis company stupid brand server? I didn't know you could get a stupid servers I thought all servers were inhgeritly smart?

Anyway lol I'm just jokin around with you, heres an upvote, I hope you can calmd own and realize that you just need to re read the article

also I suspect your knowledge and understanding of how all this works is a lil lacking am I right to suspect that? :D

Even Google and Facebook got hacked. Even if the server is super secure, a hacker with the skills could exploit it if such vulnerability exists (which is pretty common).

Well said, it's actually the point.

Utopian overcame abuses, its not a small matter, but surely utopian will make a Come Back a lot stronger than before.

Thank you for making this statement. Many wondered about it.

This attack does not demand you change your keys or passwords..

There is one point too much ^^

Yes thats why we updated everyone with the info

The bigger any platform or venture becomes, more chances of hacking and exploitation are there. Safety is the main concern and we are happy that on time it was diagnosed and stopped.

just posting to show support @elear - what has happened here has been a clear abuse of trust and I am sad to hear it has happened to utopian. Everyone knows who is behind this and utopian have my full support.

Who was behind it?

Nobody knows. But from the looks of it, he is most likely someone who has had a conflict with haejin. The hacked tokens were used to downvote haejin's posts.

Thank you for your support. We appreciate it a lot.

Thank you.

  ·  7 years ago (edited)

I don't. If everyone knows, somebody say so. If nobody says what everyone supposedly knows how do we know whether anyone knows the same thing or only thinks they do.

Great respect for owning this and the honest, open response. These things happen and how they are handled determines if you keep your users or lose them.

Thank you for your comment! We appreciate it a lot.

I'm looking forward for the next update if you ever catch the malicious users.

I still support @elear and utopian team despite all this hacking trouble. You can only make it better.

Thank you for the update.

Thank you

Thank you for your honesty with regards to today's events, I hope that @utopian-io will come back stronger because of this.

I have much to thank utopian-io for personally, and will remain in full support of the project.

Thanks you for your support!

Thank you Asher.

I think this is good that you react quickly but we need to change some things:

  • it is very hard to know which app was hacked. Taking random accounts that downvoted @haejin, there were 3 apps in commons: utopian, busy, dlive.
  • the documentation of steemconnect should be update with secure tips. I am referring to the fact that you store the access tokens while this is apparently not required.

All in all, I am very happy the harm was limited. Utopian is very important for a lot of people and should be secured accordingly.

Loading...

What doesn't kill you makes you stronger!! Now Utopian-io have the opportunity to take advantage of this stab in the back and get even stronger and i am sure that it will become even stronger than before!! Such a powerful platform cannot die in any manner. No hacker or abuse from inside can destroy @Utopian-io. Full support and happy you sorted out things!! Hope to hear soon who was behind it!!

Thanks for the heads up guys. We'll be sure to bury you with contributions once you're back up. :)

Thank you! We hope so :)

Lol.

Thank you for posting about this and removing the tokens quickly because my account voted about ten times today while this was happening and I am grateful no more votes happened especially given I run a voting bot on my account.

I changed all my keys and removed the permissions from every app I use in the meantime to help close possible opportunities for this in the future on any application.

I will resteem this post in lieu of writing my own post about it to help spread the word to anyone impacted and help explain the erratic nature of my account votes today.

Sure @jerrybanfield.i am very sorry to hear this attack has affected also you.

Great that our keys are not compromised. Hope this issue will be solved asap by @utopian-io. And make sure that this type of threats will be avoided in future. Everyone wants secure platform.
Thank You

No problem. We always support Utopian!

Thanks

We always support Utopian. Thanks for your works. 👍

Thanks you for your support and belief in Utopian

  ·  7 years ago 

backups have been erased..? so do you have backups for the backups?

We do. However, the incident began the same day cold storage backups were supposed to be taken. Which are on a monthly basis. Unfortunately, our system wasn't able to backup the backup for the last month.

As stated multiple times the hacker knew where to act and when to make sure no data was safe.

On the bright side knowing it was someone with access makes the suspect list much smaller.

My account is still being misused to upvote random posts. Is what happened right before not related in hacking attempt that happened yesterday?

Thanks for the explanation on what happened @elear and @utopian-io team.

Hope everything is well resolved and this even creates a new more secure structure for the future!

Regards, @gold84

Thank you for your support :)

Thank you!

Good news

Thanks for the update. I wish you swift recovery.

Thank you. We are doing our best and we take this point as a new beginning to make Utopian a solid product.

Thanks for believing in us.

hopefully this incident can be overcome easily. I am proud of @utopian-io, I always support utopian-io, although I have no position in utopian-io. greetings know from me one of the people of the end of the Aceh world

Thank you for your support :)

I thought Utopian was perfect without flaws.

There's nothing perfect on the internet @ewuoso. Anyone can suffer an attack like this.

Thank God utopian has put it's house in order. We'll be expecting more of their usual work in the days to come.

Its alright

@utopian-io what about contributions that have not been reviewed?

We have the list of those contributions. They will be seen and if they are valid, they will be upvoted.

dear @utopian-io, is to give excuses, ignorance, and it makes no difference for the thin. I suggest to everyone to change their passwords. I do not know that it is not are able to achieve, to his bondman encrypt the Or in another. What can be used utopian salts and password encryption.
Don't want to rub salt in the wound, but shouldn't a huge project like Utopian, juggling with millions of SP and thousands of users, have a top notch secured servers? To me, there's no excuse for incidents like that.

Good communication. Glad you are back, but I hope to get more details on the incident.

Thank you

  ·  7 years ago (edited)

Holy shit, then that's the reason for me seeing votes I didn't actually do.

Don't mind much, though, I've never liked Haejin. [apparently he was downvoted in my name]

You should give me a few more downvotes then. He deserves as many as possible.

I'm not sure what do you mean. I don't know who you are, I have no incentive to downvote you.

Thx for this open message. Will be waiting for updates.

Kudos to the whole @utopian teams fast response regarding this issue.

Buen post me encanto , interesante,saludos.

how to contribute utopian now??
and when reviewed old post??

Thank you for hard work utopian team.

The old posts will be seen. We were able to gather the post links so they are not lost and hard to find.

All old posts will be reviewed as usual and how to contribute will be updated soon with the next announcement.

Thanks

You will be able to contribute via Steemit or Busy, I think another announcement will be made confirming when.

Yes, another announcement will come soon. Utopian is not going anywhere, only the tools and process will be a little bit different.

Oh. Was that why the discord invite from one of your comments yesterday was redirected to Zero Coin server?

Where was this comment @johannrandall? This may be something else that may need to be looked into.

Thank you for Information. I resteemed this post.

Quiet friend, a lot of strength and here we send our support

I've created login solution which will prevent attacks like this in the future:

https://steemit.com/utopian-io/@bartosz546/steem-secure-login-browsers-extension

I'm happy utopian supports me with development.

I know and I was trying to aware people that account privalages will end badly. I hope now more people will agreed with my solution and reject steemConnect.

The same attacks will happen in future on all services which ownes this tokens.

interesante la información, pendientes los mas nuevos en esto, gracias por compartir.

Hopefully this is a motivation for the Utopian team to be more careful against hacker attacks for the security of all its members.

Thanks for your prompt responses in Discord. The culprit will be found, they always are.

very helpful information, thank you for restoring the anxiety of our personal account, and thankful for utopian who always support the contribution of us all, hopefully utopian.io can run smoothly and there is no attack from outside again, and also utopian so better than any server, we hope utopian can resume operations as soon as possible.
I personally will always support and be patient in utopia server repair. @utopian-io
regards @ zaid22

After analyzing the security breached and how the utopian project have always take security very serious - all i can say is that The hacker is within
Its very sad someone did this, May utopian-io live long.

Your Post Has Been Featured on @Resteemable!
Feature any Steemit post using resteemit.com!
How It Works:
1. Take Any Steemit URL
2. Erase https://
3. Type re
Get Featured Instantly & Featured Posts are voted every 2.4hrs
Join the Curation Team Here | Vote Resteemable for Witness

Good to know our account is safe now...and no wallets compromised....but what with downvots done from my account?? Is there going to be any negstive impact??
Thanks that we do not need to change our password anymore...

@steemflow if you have reverted any downvote was made on your behalf I don't see a reason why this should harm you.

@elear it is not working yet, the votes are still going on just an hour ago my account used to automatically upvoting @onealfa wthout having any idea of it

Hello @steemflow. The tokens were fully revoked and the app deleted. There should be no way for your account to be used via the tokens that were leaked.

Thank @elear had one gone earloer in the day...but after that there was non....good to know the account get deleted....i belive its anotjer bernie saga...the way @haejin getting targeted..

Howly cow, thanks for being open about the attack. Hope you had enough backups.

Are you going to give any compensation for burned voting power?

We can review case by case for sure. We have [email protected] for any enquiry

Thanks for the information. Hope, it will not happen again. Nearly had a heartattack seeing my account flagging the big whale in the pool...

Yes we are getting better and improving our system

Merci, j'aime etre tenus au courant !! super , mille merci :)
Justement je voulais me renseigner, car on l'a dit que l'on pouvait vendre ces Vote ! Oui ??
Comment !? MERCI

JE N'AI RIEN COMPRIS !!!!!?????
Ici---> Et maintenant?
Pour vous assurer que votre compte n'a pas été mal utilisé et pour annuler les actions qui ont été prises avec l'utilisation de votre jeton, rendez-vous sur https://steemd.com/@youraccount et vérifiez si un vote a été diffusé sans votre consentement. Si oui, veuillez annuler le vote / rétrogradation. ?????!???

Qui aurai la patience de m'expliquer ?? :) :) :)

Thank you for this notification of the event and proper actions to take. I am very proud and happy to be a member of such a transparent and honest organization. I will upvote this post to help reward the organization you mention in the post for discovering this attack or hack, I will resteem it so my followers know and I will vote for you for witness. Thank you

P.S.
May I translate this into another language and repost it citing you as the author?
Many of my followers don't speak English well and it would be better understood in their own language.

Thank you

good article bro

good

  ·  7 years ago Reveal Comment
  ·  7 years ago (edited)Reveal Comment

Which @haejin was responding here? @ranchorelaxo (bikini bitch) is that you??

AHAHAHAHAHAHAHHAHAAHAHAHA

AHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

@haejin is a piece of shit and nobody gives two fucks about removing the flags.

Go fuck your goat. Go ahead and look into those "obvious" links...fucking moron goatfucker. You think I'm the only one that doesn't like you here? You're about to see otherwise this coming week.

NOTE: I had to repost this due to malicious flags from Haejin.

He now talks in 3rd person about himself. This is like the Jerry Seinfeld episode. Haejin is Jimmy. Haejin is on Steemit selling his shitty TA Charts. Haejin needs more money. Haejin this, Haejin that. Poor Haejin got flagged. Boo fucking hoo.

Didn't you support the fundraising too?

I don't understand the recent flag.

I don't.

How do you SteemIt?

You get I was just trying to get some more support on the fundraising. You voted AND Rancho voted. Figured why not toss Haejin in the mix.

Bringing enemies together for a common cause and something like that. Anyways.

Thanks for smashing that upvote. Means a lot. They've been amazed how much strangers will support someone in need.

He now talks in 3rd person about himself. This is like the Jerry Seinfeld episode. Haejin is Jimmy. Haejin is on Steemit selling his shitty TA Charts. Haejin needs more money. Haejin this, Haejin that. Poor Haejin got flagged. Boo fucking hoo.

Hello @haejin we are ver sorry this attack was mainly targetted against you. We will make sure to spread the message about what happened as much as possible in the next days and already suggesting users to revert their votes if they wish to do so.

Why are you saying your're sorry to the ungrateful piece of fucking shit for? That cocksucker don't say he is sorry for fucking flagging all of my post!!!

I am ready to help you as a developer

  ·  7 years ago (edited)Reveal Comment
  ·  7 years ago Reveal Comment
  ·  7 years ago Reveal Comment
  ·  7 years ago Reveal Comment
  ·  7 years ago (edited)Reveal Comment

You're like a retarded child. Breathe if you're guilty!

Wanna know what role I played? I laughed my fucking ass off when I heard they went after you.

That's it. Keep trying though with your retarded accusations.

I was laughing my ass off too. If you would have done it you, would have flagged post that was gonna payout sooner. Not his most recent post. Haejin is a fucking commie moron.