A Big mistake made by @noisy for leaking steemit accounts usernames and passwords. Pass it to people so everyone can protect themself.

in #feedback8 years ago (edited)


image source
http://kosheronabudget.com/learn-from-my-mistake-simple-steps-to-protect-your-passwords-and-your-identity/

A few days ago @noisy made a post how they have hacked 11 steemit accounts and shared the script with everyone.

If by a chance you missed it you can find it here:
https://steemit.com/steemit/@noisy/we-just-hacked-11-accounts-on-steemit-1158-sbd-and-8250-steem-is-under-our-control-but-we-are-good-guys-so

Why share a script? anyone can use a script and gain the info of user mistakes right?
Would't a simple explanation be enough how it was done? I believe steemit rewards bug finders anyway for reporting a bug, so in the first place a post should never be made until the issue is fixed. And after only after the issue is fixed the information should be leaked to public.

Now everyone claim they are heroes, im not saying they are not since they really done a great job i might make the same mistake one day, but its will be fixed by then.

Why am i writing this post then?

A biggest mistake was to make a screenshot with usernames and passwords that have been hacked.THey claim they all have been secured and the ones that weren't had everything transfered into savings account subject to 3 days unavailability to withdraw fund and allow users to change passwords.

account type memo
dunja password hurehurehure1234
anwen-meditates password P5Kk17eRvytzkRzzngp1CdVbQvRqFUq8wrvw8SqNdcZwXot2JRXA
jakethedog password P5JEo9aSW6CAF6apUsMbxqSe6r991T5G35uXcoYMP1PmifBRqX87
miketr password P5JEZWqSV28XAGrwMXn5G2Sx4dADvS5mz4DrrtjoraY8nmB59Rrb
blacktiger password P5HufQw3V442c4DREjUL4Ed4fQ41VzBhPtn5SkCBDJ25tuRFg1UC
quetzal password P5KC2JAHPyuA5tBn4K8PxoLuwXqHx51GHy7tG3gD7DupKH8NxqZz
tieuthuong password P5HybN5mguE6G2QB4BVKbreexEtxJD84veHcz4s3L9R8JLQ6m85V
aubreyfox password P5J5wS2gkQBv3U6WPgHU9gUTitbWE4V5CKYeEhZGVa3VGgkzQU2p
virtualgrowth password P5Kifqmdm38WPHpn2FUigLbhfD7FatHAHfcuRU5xSi16AFJFex3r
trump active 5KWkAdBieGJ8TwrpudKjJ3txTGKdjKSBHPgjiH1RGgFRWXp8uM9
amrsaeed active 5JqaDeu2s3BsG9QYenpz2xjLfg3qdaeWhXduYNUSmK7KWAywx93
trump memo 5KWkAdBieGJ8TwrpudKjJ3txTGKdjKSBHPgjiH1RGgFRWXp8uM9
alao memo 5JBGwoooi1gEUXBhu6up1qWdsKKKG1TEakQwaBNMb95dup5f9xh
athleteyoga memo 5KU2dcxLpSCJZ4SB8eBqUJs2PCEuwfx7w2XYCUmcnLqgdHHqjq2
beeridiculous memo 5KHkKyHpxDBuuKGt5QwTbb42bxmMUo1Xk9efBKU7wUoRed2Ak8z
romanskv memo 5JzZ1BUHGrYrmu9Kms5mFK2nhQPFSxKHXp5mtcfMrQWioEgJTfE
blockiechain memo 5JJZPu2z6DfhyGFsm9b458wff8H168f4yiAidbsWq55YSbFLd3a
bloodhound memo 5JQZo8QDuQ1eDqsgMnVHg1ujqYNUTEDV4KYZyeSdbzSAbXMsSuV
bryguy memo 5JdJHDcgeqyaHEgmyTbob221RUvttqyRVVPViAMzuq4hWJKw6sa
churchsoftware memo 5KB3B3rHxvvaR3C2gfNyKkkReqdfbsjPs4AZ8ceiiR4B49oCDmJ
chuckles memo 5KWf41ixGbPMpAxNhe47jtTVbyAi9Su4mZrHaVanYP2rQWoPUUk
coincravings memo 5Jp6RJ71B824qc2cHXLPNYHZPD1BgxE2rFMyEpDszjqussW5iSA
colombiana memo 5JaewDd6gw4AjXGhABCdZk2FHrwxHJnJDWZmkUzJYuny6rarbf3
cryptoeasy memo 5JNv71NgwCRUDAQu1NP67TDRVHKmRnnGLRfNFMwAKS8fTMLvLkQ
datkrazykid memo 5JbiRrFrv9GLMjjPYZA8K7AWxAXQThs5AefWj1JgqjzMS2jLdng
dollarvigilante memo 5Hqzx26rSmSJ2o5VB8gicf3F2Q6BU35n1nMNajcEmDxMietvUVx
dethie memo 5K3BBi9pETRGG7KkS7VDrWY7exDCCi315prn2Mf9dTuR9vCejEH
francoisstrydom memo 5Jkw1HdHc1ucwTosaqhXVAhyG848d1ZJprQsrwP1UEctazBvU3D
farinspace memo 5JMckr9WkVbRZdbeMwQ6CNwTWBfrp4vTBy9K1YTJyZ76XBbRgZW
golgappas memo 5K8zaCwcXWjQPjs6JGH896pGb6jENyMNU19g1hSsYXW1X2Dour1
goldrush memo 5JKCSn4xwHHCTBNy1MYJgbLDpYGR434A43gUvGPCVJPAs49GMvX
hithere memo 5HxdErB3wPUDQKWEcjNBBWLpB1uJ8aMrY1tK5ZA1k56MqmTtT31
iaco memo 5JTYW5HfPJJX47VRT1Cq9Nz8aSruWKhETiD6oo9GPJNteQ5RPke
inphinitbit memo 5J9uWL39vDYgEosscgxEziYQ2ybPbxM5e9sPkzTxgqTgNYC7Mx7
jellos memo 5JYXarzjE5afBtHcjhvdUcczrqCsfUEyxVRTKAFyDdjGatkTNNy
kakradetome memo 5JuMh7FikJ1UVpUauF3J1e7MHj562z8Zmnp29pauVgPw3A4SgYC
kingofdew memo 5HrSQ9yJizKCbDAu2Di9PnSuMPwMuNQCiKRdBUqzHFZySWQmtbL
malyshew1973 memo 5KbD93C9XLGL4Aa4ncSpRnXCVuSRTvRRP6gANwHPbUeWBaPf4Eq
leesmoketree memo 5Kctn9BvtxB3CXzzX4GMcmLygq42LqisCZr5MAy7VYPzvwX5o7u
lichtblick memo 5J9jkRijjAn8o8DXt8R1ujSZHtahevVCw8CGzPEjnvCEsqkXjHy
lopezro memo 5K6rmYGbHaGsAyGLpQMNupWcmjQFHvjX2GtYyCrC3KMgWAWcNci
lostnuggett memo 5JEKwfrtSEFvw8P8qnWyDhfxnQTRB5Vn2WxwW3tE4gL4pZiwPcQ
luani memo 5Jo7p98JCpTiH1q9kVC81etym4QSHRRpLDvxumRW7BXouDu8Yfd
mama-c memo 5HqAhZBvbBJKVWJ1tsrg7xnS1dvNNyxBoHzp8Snvp9C6Uawx66x
marionjoe memo 5KUpMmkx6hrPanwKzUvrHTonLDQkZAoiJwESogHAMSeuFsB1Lqc
maxfuchs memo 5J9CvSGNyLBgUwhKtsTWCqTddbDZJ4tFrVSyWFzDstsQiG9spPe
mkultra87f memo 5J8mDeubzJwEtHsbPzfUCVetNgPrVgQVHUBQDySH7v1qSS44DBf
mrsgreen memo 5JyAaFEdEriRLpQ9uEXGoeNyHpw1TscqN6VP6iNjpoFbA8JCrMP
nathanhollis memo 5Kk1N4nxMPbqVuJCVt3MUjz5dvJR716cUAdf6c3kToqzMqT8rRu
murat memo 5K8R2J7xiLRN3HWdAy5Zym4taE74o9DWF8FV82HHFrqNUZDzdxW
nikolad memo 5KdeDUj92w2HXsLH6V6SpNGPAeyBtJEU5jVoqZyjaHDkE39AkzF
niliano memo 5KCPgZBnLziZC88e44j8GxK11XYdpQyo8WFxocBH24jAhEnVN6z
norbu memo 5J5HyEwx54MwKW8gpsSBzvwAweHRjH11CXs85RCNWSooyPYRaeh
onighost memo 5HwsjHgWMmJSLdiVgdxbRWqyvFtsKRC3Mk2tDzkpW4293ssTa6V
pinkisland memo 5JAymGCYWxhojoyQsfAC4x619nq5vkcQBhMWjEZHwiitodBYFV5
rawmeen memo 5JnLMoPRry2n361tPxQq7MYy16tn5PuT2PmsP1FLrRGJsp1Vfem
qamarpinkpanda memo 5K4SgN4tps3HRiyy49m5rfWNCZmyBVYv7eFF3CTRkcJJPQsExTb
richarddean memo 5JPPUidz7rPN6VPHFJQbjnh8a3JQCDzP7fJSt93EQkUeLr3gmJJ
saramiller memo 5K8My6Afbi6ff5CeFByB5e9zQG4QUX4MtMRHs7Ux9Tvu4ZSP7H4
slimjim memo 5HtkqVNSBj4kf6tyyyNPBgpnbgkrvATM1wBYY4mkNfxs9xiYHbv
smisi memo 5Hsre3qaCDBcxwGiig5qFc65dwf2NfAssUUTXfCWFmbhbxPz7bL
sraseef memo 5K558SavQVHXnKn6k8CoKe28T3FAmmAtRJuCMjpwdSwR6sT9rYq
steemshop memo 5JRoiSJw18Vj3rGt5mrd4JeuxL1Wb1YpGyFDQu9pFrKmckr6kTu
surpriseattack memo 5K8Be3nW33Lc5vqRUJx3xmoLFnMMmJPMthYHb16i7R2gwFTJqh3
tee-em memo 5KPT9Nhtho3qaAFkGQ4zqy7Dae1729WdYM5wL3UPyKVuTauonif
theofphotography memo 5KRJ9qt8E9o6KXFhfyW7PJH7sDsmSBVaBeC8SmLR5LmReQii44Y
thunderberry memo 5JxtXr2cMTkbU37CDtPyFdGuTT9fPceNemwnJDsqAdMoV5msLEP
tomino memo 5JPBiMwfrqTdgZhW16LjdeMZv29gtKQC4eb4jyVTpk2Vvx5MHde
worldclassplayer memo 5JQBm8pn5vwChYdoxx3tJw6dkBFeQpKBKia5roB9DqXZMoFdF4h
writemore memo 5JJTZpTEvw4C7cnU7Q9NfzUnXSYqwYLLxkP7B3c39Z82Uwzj14d
wthomas memo 5HwbsX4CTKtCJLH8QYuVBTvCbJYQwwFDiCCKy99uNLCHpoazo6N
walcot memo 5KJjeTJGM8FjjDpj8mHRFpjae5SeSZ9Y8CGaBJC7VqFUGR25Qa6
vovaha memo 5J9Wxf1Xz1hXvMd7ubXHNZXhFoF1yhQT3

Ok so following @kingscrown post about Golos free money for 2016 steemians you can find it here:
https://steemit.com/steem/@kingscrown/golos-has-free-money-for-2016-streemians
Even if you change a password on steemit, it wont change nothing on Golos.
It means anyone who knows that they are connected can access you account in Golos change your passwords, make post under your name and even withdraw your funds.
Since if you are an early adopter to steemit there might be quite some money sitting in Golos that you don't know about.

I decided to test it out myself will it work this way.
First ones were really easy enter username password and you are in. start power down do whatever you want.
Screenshot - 10_06_2017 , 16_46_08.png
The ones with long passwords required something more the screenshot @noisy made did not include full password.

Thats where https://steemdb.com/ came in very handy.
Screenshot - 10_06_2017 , 16_49_24.png
As you can see was very easy to trace history and find out the full password/active/memo.

Conclusion:
A big mistake for leaking private user information prior repairing the bug. For the future please don't leak private people information to public some users might be investing everything they have to steemit.com mistakes like this one might make more harm then good.

Please upvote and resteem post so that the people would know about existing problem and if needed or just in case change the passwords in both websites.

Sort:  

This post received a 41% upvote from @randowhale thanks to @deividas! For more information, click here!

I read that post by @noisy, and saw they had first created and posted a fix to github, and notified Steemit admins. I also later noted they did seek to inform Golos as well, but IIRC they don't know who to contact, and don't speak Russian.

I must agree that if they did not first contact Golos admins and do what was necessary to protect Golos users then they erred. I hope no one has been victimized in this way.

Thanks for posting this, and I hope my resteem helps to protect users of both systems.

Hey @deividas, Great post! Well written article!
How did the hackers get the password screenshots in the first place?

Upvoted and followed :) keep up the great content!

they didnt because they were the ones to hack them, its just that they posted screenshot of passwords to public

is there anyway to fully protect your password, taking into account not saving the password onto your computer, and or having a screenshot of it saved on your desktop?

yeah they only exploited people mistakes by accidentally pasting passwords in memos during transactions

Ah, I see! sorry I'm currently running on 3 hours of sleep, I must have misread. Great article nonetheless! Can't wait to read your future articles.