Steemit experienced hack, theft of user funds, and DDoS attack

Hundreds of users’ accounts compromised and funds stolen.

David bisson
David Bisson

Steemit experienced hack, theft of user funds, and DDoS attack

Steemit recently experienced both a hack that resulted in the theft of users’ funds and a distributed denial-of-service (DDoS) attack.

Steem is a type of technology that feeds Steemit, a social media website. Members of Steemit earn Steem Power and Steem Dollars, with one Steem Dollar equivalent to one United States Dollar, for posting and curating popular content.

On July 14, users of the site began noticing suspicious transactions on their accounts. For instance, one member by the name of “dragonslayer109” noticed US $300 had been transferred from his account to a Bittrex account, an exchange that allows Steemit users to withdraw their Steem Dollars as Bitcoins.

Sign up to our free newsletter.
Security news, advice, and tips.

Dragonslayer steemit

Steemit’s IT teams launched an investigation into those issues and determined the site had experienced an attack that affected a small number of users.

As Steemit CEO Ned Scott told all Steemers on Thursday:

“Steemit was today subjected to a cyber attack. In the attack, fewer than 260 accounts were compromised, and less than $85,000 worth of Steem Dollars and Steem may have been stolen.

The hack has now been contained. User accounts and wallets are not at risk, and we hope to soon reactivate the Steemit website to normal order. Any users whose accounts were compromised will be completely reimbursed.”

Steemit share

In response to the hack, Steemit notified the FBI and launched “a full, internal investigation” into the incident. The site also temporarily suspended members’ ability to deposit or withdraw Steem and Steem dollars.

A day later, Scott announced the site’s admins had secured most of the accounts with balances exceeding $100 and that they were about to institute a password reset for all users affected by the hack:

“Within the next 48 hours, Steemit will begin to allow all newly secured accounts to reset their passwords simply by logging in with the same Facebook or Reddit credentials that were used to register in the first place. This easy process will work for the vast majority of the potentially compromised accounts. All of these account holders will regain full access to their funds and their original account name.”

It was shortly after Steemit made this announcement that it experienced a DDoS attack.

As reported by Softpedia, the site used the attack to update its servers and institute something called “blockchain-based multi-factor authentication,” presumably an account security feature.

Steemit’s investigation into this incident is ongoing at this time.

If you are a Steemit user, you should change your password regardless of whether you were affected by the hack. Users should also implement multi-factor authentication if it is available. (That could very well be the new “blockchain-based multi-factor authentication” feature.)

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.