SECURITY STATS on 'We just hacked 11 accounts on Steemit!...' - Passwords in the open & reaction time

If you haven’t already read my cousin @noisy post about hacking Steemit accounts...

First of all - I’m not even a programmer.

We found out about human made errors in transfers’ memos. Some users used their passwords in public field so anyone could just “hack” their accounts without any hacking skills. Some of those users used their passwords by mistake and they found out those mistakes. But others... well... they didn’t. Until today their passwords were there in the open.

We found only 9 working passwords and we changed them. But look when they were published:

Reaction time	Passwords
< 1 week	1
< 1 month	1
< 6 months	5
< 1 year	2

But there are more to that.

We know from experience that passwords begin from P and have 52 or more random characters/numbers. When we searched the memo database we found out 28 of those passwords! Some of them were already changed but we can’t be 100% sure if they wasn’t changed by someone else. And I suppose there are a lot of not-generated passwords that were changed already. We will never found it out.

Here is the known list:

User	Password published	Password changed
@anggicitrayani	2017-05-06 04:12:24	2017-05-09 04:07:00
@anwen-meditates	2016-07-25 04:22:33	2017-06-07 13:10:51
@aubreyfox	2017-01-21 14:52:09	2017-06-07 13:14:54
@blacktiger	2017-05-10 14:55:48	2017-06-07 13:14:30
@christoryan	2017-03-28 09:19:54	2017-04-09 02:08:18
@crazymumzysa	2017-02-04 11:07:15	2017-02-04 11:09:51
@dunja	2017-02-20 01:11:51	2017-06-07 13:10:00
@elewarne	2016-10-29 13:07:09	2016-10-29 13:43:33
@hansolo	2017-02-25 14:03:36	2017-02-25 14:24:27
@hpns0110	2017-06-05 14:33:24	2017-06-05 14:43:06
@jakethedog	2017-03-21 22:16:03	2017-06-07 13:10:54
@loveofprofit	2016-09-12 22:55:18	2017-05-31 17:55:27
@marszum	2017-05-20 16:56:18	2017-05-21 22:48:03
@me-tarzan	2017-02-12 19:05:12	2017-02-15 13:54:33
@miketr	2016-07-30 13:28:09	2017-06-07 13:13:24
@quetzal	2017-06-04 10:47:03	2017-06-07 13:14:36
@ricardoguthrie	2017-04-25 23:36:18	2017-05-14 19:30:06
@riskdebonair	2017-05-29 18:12:36	2017-05-29 18:15:03
@streetartgallery	2016-11-01 19:40:48	2016-11-01 19:46:24
@t3ran13	2016-08-16 19:28:48	2016-08-17 05:38:24
@technology	2016-08-15 15:42:18	2016-08-15 23:50:57
@tieuthuong	2017-03-19 01:44:18	2017-06-07 13:14:42
@uiaslout	2017-05-11 17:15:03	2017-05-15 04:57:06
@virtualgrowth	2016-10-24 19:10:06	2016-10-26 04:49:06
@virtualgrowth	2016-12-06 19:08:45	2017-06-07 13:00:33
@voiceover	2017-03-25 17:03:00	2017-03-29 23:14:48
@xcigar	2017-06-03 23:18:00	2017-06-03 23:21:33
@zer0hedge	2017-06-03 02:24:48	2017-06-03 02:25:24

Let’s sort it by reaction time of password changed.

User	Reaction time	Our action
@zer0hedge	36 s	no
@riskdebonair	2 min 27 s	no
@crazymumzysa	2 min 36 s	no
@xcigar	3 min 33 s	no
@streetartgallery	5 min 36 s	no
@hpns0110	9 min 42 s	no
@hansolo	20 min 51 s	no
@elewarne	36 min 24 s	no
@technology	8 h 8 min 39 s	no
@t3ran13	10 h 9 min 36 s	no
@marszum	1 d 5 h 51 min 45 s	no
@virtualgrowth	1 d 9 h 39 min 0 s	no
@me-tarzan	2 d 18 h 49 min 21 s	no
@anggicitrayani	2 d 23 h 54 min 36 s	no
@quetzal	3 d 2 h 27 min 33 s	YES!
@uiaslout	3 d 11 h 42 min 3 s	no
@voiceover	4 d 6 h 11 min 48 s	no
@christoryan	11 d 16 h 48 min 24 s	no
@ricardoguthrie	18 d 19 h 53 min 48 s	no
@blacktiger	27 d 22 h 18 min 42 s	YES!
@jakethedog	77 d 14 h 54 min 51 s	YES!
@tieuthuong	80 d 11 h 30 min 24 s	YES!
@dunja	107 d 11 h 58 min 9 s	YES!
@aubreyfox	136 d 22 h 22 min 45 s	YES!
@virtualgrowth	182 d 17 h 51 min 48 s	YES!
@loveofprofit	260 d 19 h 0 min 9 s	no
@miketr	311 d 23 h 45 min 15 s	YES!
@anwen-meditates	317 d 8 h 48 min 18 s	YES!

When we compress it a little:

Reaction time	Passwords
< 5 minutes	4
< 10 minutes	2
< 1 hour	2
< 1 day	2
< 1 week	7
< 1 month	3
< 6 months	5
< 1 year	3

And finally when it will be changed into graph with days in bottom:

CONCLUSION!

Be careful! This data can be found by anyone and it’s still out there in the open! Think twice when posting a memo during transfer!