Company promises to refund affected users. Steemit, a relatively small social network, announced last Thursday, on July 14, that an unknown attacker had managed to hack its network and steal some of its users’ funds.
Steem is a new kind of technology that powers the Steemit social network and works by rewarding users that post popular content by Steem Power and Steem Dollars, a custom crypto-currency with a one-to-one ratio to the US dollar.
The network works exactly like Reddit or Hacker News, only you get the chance to earn money by curating and creating new content.
Attacker stole Steem Dollars, which he can convert to Bitcoin
Steemit user dragonslayer109 was the first one to notice the attack, after reporting mysterious transactions that transferred funds from his account to another Bittrex account, a Bitcoin trading portal with which Steemit works to allow users to withdraw Steem Dollars as Bitcoin.
Other users noticed the same thing, and the company took note of the incident and started an investigation after shutting down the ability to transfer funds to Bittrex, and later notifying the FBI and other authorities.
The investigation revealed that the attack affected less than 260 users, but has managed to steal $85,000 worth of Steem Dollars and Steem Power.
Attack used browser-side vulnerabilities in the Steemit website
Steemit CEO Ned Scott said that all affected users created their Steemit account via Facebook or Reddit. In a later update posted over the weekend, Scott also said that “the Steem blockchain was never hacked. Likewise, our servers were never hacked. Instead, the hacker exploited browser-side vulnerabilities.”
Scott also said they were able to contain the attack on the same day, and that Steem Dollars and Steem Power will be returned to all users, refunded courtesy of Steemit itself.
After patching the issues in the Steemit website code, the network is now asking all users to change their passwords. Steemit is different from other online services because users have three passwords, an Owner Key, an Active Key, and a Posting Key, each used for various actions.
Steemit faced a DDoS attack after fixing the issues
Coincidentally or not, right after the company made this announcement, a DDoS attack hit its servers.
Steemit used this attack to bring down their servers for maintenance and upgrade their service by adding something they called “blockchain-based multi-factor authentication,” to boost account security even more.
Since the second Steemit update is not hosted on a linkable page, we have embedded it below dragonslayer109’s photo, if you wish to read it.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.