OMG
These have been the most thrilling 48 hours in my SteemIt career. I’m still shaking... My account got hacked, I was locked out, while the hackers took my SBD, undid all my delegations and started powering down. It was a terrifying race against the clock to see if I could regain access to my account, and all my funds, before they managed to steal it all.
A Little Background Information
As you may or may not know, I started my SteemIt adventure with the username @mike314-005. Right, I don’t know what I was thinking signing up with that name. ;0)
By the time I had reached a reputation score of 51 and got around 500 followers, I decided I needed a different username if I wanted to get somewhere on this platform.
So I used Blocktrades to create a brand new account with the username @simplymike.
I didn’t close the old account, but decided to delegate all my SP to the new account. With that delegation, an extra investment and a lot of blood, sweat and tears, I managed to grow the @simplymike account to reach a reputation score of 53 in only 45 days.
I was pretty proud of this achievement, to be honest.
GrumpyCat
The day before yesterday, disaster struck...
I received a comment on one of my posts, in which was mentioned I received a GrumpyCat flag for using ‘the wrong bots’. I had seen these things around before, so I didn’t think much of it.
Please note that the @grumpycat account had nothing to do with the hack. The hackers simply imitated the comment, knowing people wouldn't be very suspicious because they had seen it before.
Since I had not paid for any bot, I replied to the comment, telling the posters they should reprogram their bot, because it was wrong.
I thought it would probably be a good idea to leave a comment on one of the poster’s articles instead of the flag-comment, so I clicked the ‘Learn More’ link.
SteemIt had been acting up these last couple of days, so I wasn’t really surprised when I was asked to log in after clicking the link. I did, and was redirected to a post by @grumpycat. Nothing weird about that...
They Tricked Me
I didn’t realize something was wrong until I tried to post a comment to the article. The system told me I had no permission to post.
Strange, but since SteemIt can be unpredictable sometimes, I still didn’t worry. I tried my phone... wouldn’t work. I tried my tablet... nope. When I tried to log in to Busy.org and that wouldn’t work either, I realized something was terribly wrong...
On top of that, I started to receive notifications through my Steemify app which indicated that my account was posting ‘GrumpyCat flag-comments’ on other accounts.
This was bad... really bad...
I Ran Home
I didn’t really know where to go, so I stopped by the Steemcleaners channel on Discord to notify them,and then to the one place I could think of: the #newbieresteemday Discord channel, which I, surprisingly or not, considered as ‘home’.
I was very fortunate I bumped into a couple of bulldogs there, you know, the kind of people who bite something and won’t let go until they’ve done everything they could to solve it... @deliberator, @penderis, @wilfredn, @bashadow, ... thanks for your help and support, I owe you!
Nuked
Suddenly, I saw my reputation score get back to -1. I was freaking out: I had worked so hard for that rep of 53...
Because the hackers were using my account to send out phishing comments, @guiltyparties had nuked it by flagging all those comments, just to make sure the comments would be hidden and the phising attack wouldn’t make more victims.
It was just a precaution measure...
Power Down
Meanwhile, the hackers had started to power down my account.
If it wasn’t for the SteemIt rule that a power down takes 7 days to be executed, I would have lost a lot of money in this.
Now, all the hackers got away with was a little over 14SBD, which is peanuts considering what it could have been.
Lessons Learned
It took a little less than 24 hours to regain control over my account, so this story has a happy ending.
It’s a bit unfortunate that it took such a dramatic event to learn some very important things.
I’ll be discussing everything I learned during this attack in my next couple of posts, but there is one thing I already want to share with you:
NEVER, EVER use your ‘Master Password’ for daily logins!!
Like @rycharde from the M-A-P channel stated:
The Password is your "ultra secret never to be revealed master key to the steem universe"
I did read the FAQ, but I managed to miss that part, and I’m pretty sure a lot of you have too.
Save your master password and keep it somewhere safe.
Only log into your account using the key with the appropriate permissions for what you are doing:
- Posting key for every day logins
- Active key when necessary for transfers, power ups, etc.
- Master password or owner key when changing the password
Again, save your master password and keep it safe! If logging in with your post key, make sure you don't overwrite or misplace your original master password.
I’ll be writing a more detailed guide soon, but I thought this was too important to leave out at this point.
If I had used my private posting key to log in, the hackers would only have been able to post the phising comments, but my money would have been save.
A Word Of Thanks
So, this story has a happy ending, but that was only thanks to the help of a lot of other people.
So, I’d like to put a couple of those in the spotlight below.
Thanks for jumping on and helping out, guys (and gals ;0) ). I couldn’t have done this without you!
Loads of thanks to
@deliberator, @penderis, @wilfredn, @bashadow from #newbieresteemday who jumped on it like a dog on a bone, supporting me all the way through.
@guiltyparties, @stresskiller and @pjau over at Steemcleaners for the info and @patrice for undoing all the flags, re-instating my precious rep score.
@drakos over at the help channel on SteemIt Chat for taking the time to reply and to tell the guys over at Blocktrades they needed to act! If it weren’t for you, @drakos, I would still be sending emails to them telling them they should be providing a way to recover my account.
Dan from @Blocktrades, for stepping up and initiating the recovery process.
@rycharde from #mapsters for all the useful info
@anupbose and @kobusu, for using their resteem service to get out the word about the phishing attack, by resteeming a message I created on my old account, even though I didn’t have any money in that account to pay them with.
The guys and gals over at the #alldutch community and of course @davemmccoy for the moral support.
And everyone else who supported me to get through this. There were moments I lost hope and wanted to quit and forget about SteemIt alltogether, but thanks to everyone who chipped in (like @mudcat36, who resteemed all my visible post to help me get back on my feet), I got through.
This was another example of how strong the SteemIt community really is, and a reminder why I love it so much.
This event allowed me to meet new community members, as well as get to know some members better. Together with the lessons I learned this has been a valuable experience, which fortunately turned out fine!
More Posts You Might Like
Help Put a Post to the Top of Trending, Without Vote Bots! Join The Minnow Votes Project!
What Would You Do With A 700SP Delegation?
Newbieresteemday-Week: The Curated Articles, The Winners & 2 Articles You Simply Nééd To Read
FIGHTING THE GOOD FIGHT ~ HOW YOU CAN DO YOUR PART IN THE BATTLE AGAINST REWARD POOL ABUSE
I'll Show You The One Thing You Need To Do To Never get Bitten By Cheetah Again!
Image Sources:
Pixabay
Giphy
Grumpycat screenshot taken from one of @grumpycat's comments