I'm Back!!! How my Account Got Stolen, How to Avoid Having This Happen To You, & How To Fix It!
I got locked out of My SteemIt exactly 4 days, 3 hours, and 36 seconds ago.
Ok, I'm kind of exaggerating. I didn't count it that closely, but it has been 4 very long days without SteemIt.
Why? How did I get locked out of my account?
Like a genius, I published my password in a post... wasn't very careful with my password. So, my account got stolen.
First off, I would like to give a shoutout to @aggroed and @drakos for giving me information on how to get my account back and for talking me through the ways to do it. Also a HUGE thank you to @someguy123 for recovering my account for me with anonsteem!
This is going to be a bit of a long post, but I think it's important to share this information.
So, I will explain to you how exactly I lost my account, what I did to get it back, along with some tips to prevent this in the first place. This is some serious genius territory, right here.
How I managed to lock myself out of my account in the first place
In a short answer, I copy & pasted like a pro and didn't read my post over before I published it. I was intending to copy & paste a link, I pushed CTRL + V, published my post, and that was that.
And just so that you can fully comprehend the sheer brilliance of what I did, here is a picture to prove it:
Don't worry, that's not my password anymore. 😉 My password is a secret now. That is all I had to do, and I was immediately locked out. That's how easy it is to screw up all you have been working for on SteemIt.
SteemIt Bots
As soon as I published that post I was instantly signed out of SteemIt. No, I didn't even have time to delete the post or change my password. It wasn't even 10 seconds and I couldn't get back in.
And it felt like the world was ending, it was terrifying. I thought I had lost my SteemIt account forever, and that my last 3 weeks spent on SteemIt meant nothing. I thought I was going to need to start over.
In my panic, once I realized what I had done, I went back and tried to edit the post and the little "edit" button wasn't at the bottom of my post. Huh, that's weird, I thought. It was because I was already signed out.
The reason for this is SteemIt bots. There are good bots on SteemIt, and there are bad bots. And some of these bots are programmed to scan for passwords. If it is a good bot that does this, chances are you will be able to recover your account and won't lose your money. If it is a bad bot that gets to it first, you will be locked out and the chance is there that you will lose everything in your account.
I am fairly certain it was a bad bot that got to my account, but I got lucky. I got lucky for a few reasons:
#1: I didn't have a large sum of money in my SteemIt account. I only had a few cents in there, lucky for me.
#2: I had recently changed my password.
Which brings us to...
Change your password at least every 30 days!!
SteemIt cannot recover a password if you lose it. And there is absolutely zero chance of your account being recovered if you don't have your most recent password.
A "most recent password" is a password that has been updated within the last 30 days. This is what will allow you to recover your account, should you ever need to.
What happened when the bot stole my account, was it generated a new master owner key, thus locking me out and taking ownership over my account. Right after I got locked out, I checked my steemd and noticed something curious.
Right when I published my post, it showed I updated my account data. I was like... ummm, no I didn't...
No. I didn't.
The bot did. That, right there, is the evidence that a bot changed my password and took authority over my account. I didn't do anything to my account settings that day.
But, if you have a most recent password, you will be able to recover your account and lock the bot out.
This works because in the account recovery process, if you have a recent password (and verification of your identity through email, or something else, more on that later), SteemIt will generate a master owner key to match your original password, from when you had authority of the account. This is because your password is stored in the blockchain for 30 days, with your account authority information. When it recognizes you have authority again, it will invalidate the bot's authority and lock it out.
Edited To Add: According to @someguy123, It is after 30 days since changing your password that the recovery window for your account is blocked. This is a built-in safety feature to protect accounts from hackers. So the biggest thing is making sure you keep your password somewhere safe so that you don't lose it, and making sure you have several copies of it is smart. How I understand it is you don't necessarily need to change your password every 30 days, but if you do it should keep your recovery window for your account open, in case you do need to recover it. So take that as you will, but I will DEFINITELY be changing my password frequently, just to be safe so that my account recovery window will stay open.
You can read more about account security here and here. Thank you @drakos for these links!
Again, this is why you need a recent password to recover your account!
Don't keep a large sum of money in your SteemIt account!
If I had just had a large sum of STEEM Dollars in my account, chances are, it would be gone by now. Luckily for me, I only had 92 cents because I am just starting to build my account and my following. So that must not have been enough money for the bot to bother with taking 😏.
So I would strongly recommend that you don't keep a lot of STEEM Dollars in your account at once. Once you get a pretty good amount I would either transfer it to STEEM Power, or cash it out. This way if your account ever does get stolen, you don't lose everything. I know I will be doing this.
Log in with you private posting key, not your master password!
I also learned through this mistake, something very important. Something I am glad I learned before I was too far into my SteemIt career.
If you are just logging into SteemIt to post and browse through posts, you only need to log in with your private posting key. You only need to log in with your master password when you are transferring money or updating your account settings. But if you log in with your private posting key, if you accidently make the copy & past mistake, it won't be quite as big of a deal. You should have time to edit your post and take it out, and it makes it harder for your whole entire account to get hacked.
To log in with your private posting key, go to your wallet > permissions and click on show private key to the right of POSTING. Copy & Paste that into your password box when logging in. It is infinitely more secure.
Ok, so, what to actually do if you do need to recover your account
First, stop panicking. Wipe your nose off and prepare to recover your account just as brilliantly as you lost it.
Also, prepare to be patient. This might not get you back into your account immediately.
There are a couple ways to go about this. Either way, you will need your most recent password and the email associated with your account.
First, figure out if your account was made with the classic SteemIt system, or if it was made using anonsteem.
I came to SteemIt as an UnFucker, and @aggroed was nice enough to sign a bunch of us up so we didn't have to wait for activiation. He used anonsteem, which @someguy123 developed and runs.
One way to see how you were signed up is to check your steemd. You can do this by going to www.steemd.com/@yourusername. This is also a great website to check your voting power and bandwidth.
On the left side of your screen you will see a chart with lots of information about your account. This is all public and stored within the blockchain. Look to where it says "Recovery Account". If you were signed up using anonsteem, yours will look like this:
If you were signed up regularly, yours will say Recovery Account: steem.
If you were signed up using steem, you have to initiate SteemIt recovery within 30 days of losing your account. To do this you will need to click the three-line menu at the top right of your screen, and click "Stolen Account Recovery". You will then need to enter your most recent password and the email address associated with your account. You also can do it this way if you were signed up with anonsteem, but there is a more effective way to do it, IF YOU WERE SIGNED UP USING ANONSTEEM. *
I didn't know about this option at first, so I initiated SteemIt recovery as soon as I got locked out. I still haven't heard anything back. Apparently SteemIt recovery is very blocked up, so it may take a while for you to get your account back this way. But if you do do it this way, you should eventually get an email back with a way for you to change your password.
However if your account was made with anonsteem, @someguy123 can recover it for you if you send him an email or a discord message or a steem.chat message. If you were signed up using anonsteem he is essentially the creator of your account, so he has the power to recover it. He will, again, need your most recent password and the email associated with your account, along with a way to verify your identity, so that he knows you really are the original owner of your account. Thanks to @aggroed to giving me the idea to contact @someguy123.
* EDITED TO ADD: You actually can't initiate account recovery through SteemIt if you were signed up using anonsteem... if you want to recover your anonsteem account, you have to recover it through anonsteem, which @someguy123 can do.
Getting My Account Back
Last Saturday, the day I locked myself out of my SteemIt account, I first messaged @aggroed, then following his advice I initiated SteemIt account recovery and messaged @someguy123.
@someguy123 got back to me earlier today asking for my most recent password, email, and verification of my identity.
Obviously email and discord aren't the most secure, so if a hacker can hack a steemit account, they could also hack them! So they only way for @someguy123 to verify my identity was to ask me for something no one else has access to.
My chicken. He wanted proof with my chicken. 🤣
One of my first blogs on steemit was about my pocket chicken. So he asked me to prove I still have my chicken by sending him pictures of my pocket chicken, next to a piece of paper that said "anonsteemzoey".
Well, I thought. At least he's being humorous about it 😂😂😂!
So, I sent him these pictures:
And, voila! He recovered my account.
I'm So Happy To Be Back!!!!
I'm so excited to be back on steemit, to learn and chat and grow with you all! I will definitely be more careful with my password in the future 😬
I hope some of you find this information useful! If you do, please upvote this post!
Also, thanks to @erinn for going around commenting on my posts to let people know about my stolen account! I have it back now!
Until Next Time,
~Zoey
Just a slight correction :)
You can't use the Steemit account recovery system if you didn't sign up via Steemit. If you used Anonsteem, the only way to recover your account is to contact me (email on the bottom of anonsteem).
When an account is created, a "trustee" is set to the account which created it, e.g. @anonsteem for accounts made using AnonSteem, or @steem for Steemit.com accounts. This trustee is the only account which is able to recover your account. No other account. So if it's made via anonsteem, only anonsteem can recover it, not steemit.
I don't know why they don't reject accounts when you enter them on there, a lot of people wait weeks for recovery from there, only to find out that steemit wasn't responsible, and now it's past the 30 day window and they've lost their account.
I believe my original article was wrong about this. When the owner key is changed (e.g. using change password), there is a 30 day window to initiate recovery using ANY previous owner key or password.
30 days after a password is changed, the recovery process is blocked, this is to protect against a hacker attempting to recover your account, and also to protect you against a malicious trustee agent. For example, after 30 days, you will actually be able to change your trustee to someone else such as
steem
, allowing you to recover your account using their service, instead of AnonSteem, or give it to a technical friend who you trust to recover your account.How to change your trustee (by @themarkymark): https://steemit.com/steemit/@themarkymark/how-to-change-your-recovery-account
Ok, thanks for this! I will update the post with this info.
It's very interesting to know, because when I initiated recovery that way, it said someone would contact me and I still haven't heard anything back from them... glad I am not still waiting for that!
Glad you were able to get your account back, I'm actually surprised they are able to recover accounts at all once the password is changed, good thing you still have the chickens!
I was surprised they could fix it, too! I thought for sure I was goona have to start over lol. Yes, very good I still have my chickens!! :)
You are soooooooo lucky haha. I am happy for you that you got your steem account back!
Aaaand that there is a solution for getting your account back. I resteemed your post for others and my self so I can look back at my resteems when needed :P
I have to say that this a story you probably never forget about hahaha
Cheeeers
Thanks! I'm glad you find this useful and think your followers will too :)
This is a post worth reading. I smiled when you say it is not a quick fix, wipe your nose and get back to business.
thanks for the idea of changing your master key every so often like 30 days.
Keep on steemin'
Thank you! I'm glad you find this helpful!!
That’s scary for sure! Glad to hear you got your account back! I will Resteem the thisnpost to help get more info out there about account recovery! Thanks for the post!!
Thank you!! I'm glad you find it useful!
It IS scary! I mean, I was paranoid about checking my posts for passwords before this happened, but I had no idea. I still thought you at least would have time to fix it, now I know better!
Thank you for sharing this story, I did not know there were bad bots!
Tough lesson to learn but at least it has a happy ending. I only confirm peoples accounts by chicken pics too.
Yes, it was tough lol. But I am happy I learned that lesson before getting too far into my SteemIt account! Also, yeah, I thought it was the most brilliant thing ever!!!
Congratulations getting your account back.. and thanks for these great info 🙂
@josteem
Thank you! :)
How horrifying. I can't imagine how panicked I would have been or the intermittent phases of anger and sadness. I am so glad you fixed this, and your write up on this is one of the most important posts I have read since I have been here. I apologize that my upvote is not worth anything, as you deserve thanks for sharing your ordeal.
Blessings to you and yours.
@masterbot has been called by @practicalthought to give you 4.09% upvote!
Check this post for information about delegation. Make me strong!
Hi @masterbot,
It seems you got a $35.8914 upvote from @masterbot at the last minute before the payout. (14.17h) and this comment is to make everyone aware.
Please follow @abusereports for additional reports of potential reward pool abuse. Thank you.
Uhgg. sorry Zoey, that upvote was meant to be for you. This was the first time I tried using an upvote bot on someone else's post. I got the idea earlier from a post I read. I will try again in the next day once I have more steem, only on a different post that I don't comment on to make sure this doesn't happen again. Not sure how it gave it to me in the first place.
Lol, don't worry about it! :D It's the thought that counts! I'm glad you find this post useful! I would upvote your comment too but unfortunately after all of this my voting power isn't worth very much right now either XD... when it comes back up later I will!
Some useful info in this post, like changing the password every month :)
I'm glad you find it helpful! I was hoping through sharing my experiences with this that it might help others on here.