How to Recover a Stolen or Hacked Steem Account - Password Recovery

in PowerHouseCreatives9 months ago (edited)

Today, I want to cover a very important topic of account recovery. This is a two-part process where you need to work together with the person who your recovery account is set to. You will also need to know how to manage account keys and change your password (I cover that briefly, too).

This process is quite difficult, but it could save you. I found existing tutorials on this aren't so good. People lose their minds when this happens and need good advice (This will be cross-posted to my #FAQ community later). Fortunately, account recovery is a relatively trust-free process and thankfully I'm here to help (If I say anything dodgy, I encourage you to call me out in the comments).

*Technically account recovery is changing and recovering your password. However, there is a catch. To be specific this process only works with your recent password changes for up to 30 days. If you don't have a password that was valid within the past 30 days, you are out of luck.

Fortunately, no one has ever lost a password they rarely need to use before. /s

I included details on how to change and secure/encrypt passwords as well as find old recent owner keys.
If your account is lost you only really need to know the first 5 steps, but everyone should be familiar with the others.

Before we start

Last week, I wrote about How to de-Steemit Steem. One of the topics I mentioned everyone can do is change their recovery account from @Steem (Steemit) to something else. The best is to pick someone you know. Also, talk to them about it first. If they are not around to help, this is bad.

Actually, when doing this you need your owner private key. I forgot to mention that it a good idea to change your password after entering your owner private key anywhere (so change it soon, more on how to do that below).

I also mentioned how to change your recovery account and find out who it is set to. However, I will review it in brief here.

Lastly, for pretty much everything, I use https://steemworld.org/ However you can actually recover your password in the Steemit Wallet too (but I am taking a long-deserved break from them).

Step #1. Generate a new set of keys

Assuming your keys don't work, you need new ones. On SteemWorld, when viewing your account, just go down to tools near the bottom. Generate a Random Master Key (I put in abc123 as a dumb example and for better or worse that isn't @steem's password)

01keygenerator.JPG
You need to generate a new set of keys. Never recycle your keys or enter a dumb master password (generate random always)

Note:

Actually, If you just lost one or two private keys (owner or active), enter your existing master key in after writing in your account name. If the account name and the master key don't match, you won't get your private keys. You can check if they are your current private keys by seenig if the corresponding public keys match the ones on your account (to see that go up to the top of Steem World > Account Details > Public Keys). If they match, skip to #8 Password Change (you definitely want to change your password after entering your master key somewhere). If they don't match try to recover your account.

Firstly, to recover your account, you need to make a new set of keys. Just copy and paste everything From Account Down to Export Public keys into a note pad, save it and move on. I like to click generate randomly a few times just for the hell of it before and after I copy everything down, you will change your password anyway after your account is recovered so there is no need to be super secure with this set (just keep it for 30 days incase double-failure).

Step # 2. Send an Account Recovery Request

Obviously you need to tell the person who will recover your account that you want your account recovered (if you try to recover your own account, you get an error). Usually, if the person recovering your account is competent they will verify your ID.

Steemit asks for an email or phone number. Actually, this is disturbing but good. You don't want random people who steal your password (hackers) to be able to spoof this service.

02Request Account Recovery.JPG
This is what the request account recovery page looks like, you don't actually do this. This is the only info the person recovering your account needs (they need their private active key, too)

Doing this is simple. Write down your account name and your new PUBLIC owner key that was generated in Step 1. Talk to the person who is your Recovery Account Owner and share this info with them. Actually, they do this part on SteemWorld, not you (unless you are recovering an alt-account like I was).

WARNING: Don't share your private keys with the person who is recovering your account or they can actually steal it. Fortunately, SteemWorld will only accept a public key. Notice how they all start with STM. Anyone can find these out anyway.

Step # 3. Confirm the Recovery Request by entering your recent Public Key.

This page sure looks familiar. Actually, you recover on the same page as the person recovering your account (it caused me some confusion when trying to recover my alt, but for you, this should be easy).

Go to SteemWorld, Scroll down to Tools > Account Recovery > Incoming Recovery Request

As you can see you have an Expiration Time (24hrs). Actually, the worst thing a person who is your recovery account can do is spam these requests (set a new person if they do that without apology and report please so we can attack them).

03Incoming Recovery Request.JPG
Enter your recent public owner key (not the one you just generated in step 1, the one that was used less than 30 days ago)

Firstly check the New Public Owner Key, make sure it is the same as the one generated in Step 1. If it is not the same, someone made a mistake. Contact the person recovering your account again. Don't worry, they can't actually scam your account by giving you the wrong one.

After, enter your most recent Public owner key. No, It's not the one you made in step 1. It's the one that was whatever your password set it to before your keys were changed. Remember if your keys were changed more than 30 days ago it's game over (I'll tell you how to find it below).

Step # 4. Confirm Your new Private Owner Key

Here is how you check if the person who recovered your account entered the correct public key. If they didn't you will get some error message.

04NewPrivateKey.JPG
Enter your Newly generated private owner key. This confirms the correct public key was entered.

This part is pretty straight forward. If you get some error, it means you need to generate new keys (go back to step 1) and repeat the above steps. It the public key matched the request, the other person recovering your account wasn't responsible for this error. If they don't match, you still need to cooperate, but consider changing your recovery account when you are done.

Step # 5. Enter Your Recent Private Owner Key

This is where it may be game over. You cannot find this information anywhere publically. If you don't have a key that was set on your account within 30 days, sadly it is the end of the road. You can cry, you can beg, you can plee for mercy. There is nothing that can be done. As unfortunate as this maybe if you actually could recover a long lost password, no account on Steem would be safe (it would rely on a central authority).

05RecentPrivateKey.JPG
Enter your recent private owner key (it should match the recent public owner key above

If you have the necessary information, congratulations, you have now recovered your account. Change your password and thank the person who helped recover your account.

You can continue reading if you need help on how to change your password or more information about finding recent public keys, etc.

text15.png

Changing your Password (suggested)

Step #1 Generate a New Password

If you noticed in Step 3, it said you should change your password after recovering your account. Personally I think you should change your password whenever entering your private owner key or master key anywhere.

It also said you have to wait 1 hour after account recovery. Go take a nice hot bath, you can now relax and you probably need too.

08ChangePassword.JPG
If you use your master or owner password, change it

To change your password on SteemWorld, go down to Tools > Change password

Generate a new Master key (I like to click click a few time), after copy and past everything from "New Master Key" to "Change Password" I like to write the date, too. After 30 days only your current password is necessary. If you want to be super safe, change it every 3~4 weeks so you never get locked out unwittingly.

Step #2. Enter your Existing Private Owner Key

This is straight forward. You need your current password to change your password. Just make sure you write everything down

09ChangePassword2.JPG
You need your existing password to change your password since this isn't a recovery.

To quote the Steemit Wallet:

The first rule of Steemit is: Do not lose your password.
The second rule of Steemit is: Do not lose your password.
The third rule of Steemit is: We cannot recover your password.
The fourth rule: If you can remember the password, it's not secure.
The fifth rule: Use only randomly-generated passwords.
The sixth rule: Do not tell anyone your password.
The seventh rule: Always back up your password.

TL;DR don't lose your f##king password

After 30 days it is game over for your Steem account, it's probably spamming bible quotes and that is ironic because only God can help you now.

text15.png

Extra Tip: Encrypting your Private keys (suggested)

I like to print the notepad file I saved of my private keys and put it somewhere safe (in a waterproof container in a fire proof safebox).

However, I also need my active and posting key (and perhaps memo key) somewhere more useful. I use keychain, but I also like to save it in a zip file.

10_7zip.JPG
I use 7.zip to save and encrypt private information

Saving an unencrypted file is dumb. 7-zip is open-sourced freeware that allows one to easily encrypt and decrypt zip files. If you see, I change the "archive format" to zip

Make sure you choose a strong password that you can remember, write that down. Using a bible quote or something is cool because if you lose this, again, only God can help you (that's why I print, too).

I recommend you keep it offline (ideally on a thumb drive or portable harddrive) especially if you owner and master keys are saved here (I delete those from the file I zip).

Fortunately, if it is stolen, you know how to do account recovery anyway.

text15.png

Finding Public Keys (Unnecessary unless sloppy)

I mentioned you can find your public keys on SteemWorld. However, sometimes you need your owner key history. Good news, if this is empty, it means only your current password is recent, you can trash the others (after verification). I guess it is bad news if you don't know the private keys for your current password.

Step #1. Steemd.com/[accountName]

If you already checked your recent public keys and noticed they changed (Check Steem World > Account Details > Public Keys), but want to see if you still have a recent set of public and private keys, Steemd.com can help.

Goto : https://steemd.com/ and enter your account name.

06SteemdOwnerKey.JPG
Steemd.com is a little ghetto but powerful for checking account history

Scroll down and look at the left to fund your public keys.

Next click on "Owner Key History"

07Previous Owner Key.JPG
If your account keys were changed within the past 30 days, you can find your recent public owner keys here

Yes, it doesn't look pretty.

Mine currently looks like this:

{"id"=>148571, "account"=>"steem.faq", "previous_owner_authority"=>{"weight_threshold"=>1, "account_auths"=>[], "key_auths"=>[["STM7e2rnjsTUr85zA8nCkZXfjRMGCRuEftj6yqMiHsZTBJzvddrzf", 1]]}, "last_valid_time"=>"2020-02-19T12:07:09"}
{"id"=>148572, "account"=>"steem.faq", "previous_owner_authority"=>{"weight_threshold"=>1, "account_auths"=>[], "key_auths"=>[["STM5hfjQPXtcHxzExptsWfvQ1VTkXfLeMCp4QKc4WwsaiemAnckSs", 1]]}, "last_valid_time"=>"2020-02-19T12:14:54"}
{"id"=>148578, "account"=>"steem.faq", "previous_owner_authority"=>{"weight_threshold"=>1, "account_auths"=>[], "key_auths"=>[["STM6hUHHu5vErWNd2cEUkuhMRi9c4iXgfZEKPZD23UxhxTze6GsGd", 1]]}, "last_valid_time"=>"2020-02-19T13:16:48"}

There are 3 public owner keys there (I had to change my password 3 times to safely make this demo). If you get hacked, you may see alot, just do a search with the set you last copied to your note pad, or try the oldest (top) one.

In my case it is STM7e2rnjsTUr85zA8nCkZXfjRMGCRuEftj6yqMiHsZTBJzvddrzf
Yours will also start with STM and end at the next "

text15.png

The End

I hope you found this helpful.

TD:DR: Remember to keep your old passwords for at least 30 days after a change and never enter your Owner or Master PW online unless you have no choice.

Steemit is not Steem. Let's support 3rd party developers like @steemchiller the creator of SteemWorld.org, or @Steempeak the best front end to access Steem.

I'm posting this in the #powerhousecreatives community because I'm a proud member. Later, I'll cross-post using the @steem.faq account to my community #FAQ for Steem tutorials and FAQ (hive-149034).

#accountrecovery #password #oc #posh #twitter:

Sort:  

Great stuff mate, I was going to write about the different keys in my next Bluffer's Guide so would go well with what you have written here. We should have a pretty comprehensive guide to steem soon 😉

 9 months ago (edited)

There is a great diagram of the different keys on steemit wallet. The difference between master and owner took me awhile to fully get.

Please be so kind to allow me the pleasure of cross-posting to the FAQ community. I was actually planning on looking for stuff to crosspost there (I will limit 1 of mine a week [no covert-self upvote] and 1 a day of others'). I just want to wait till the community grows a little so more people are around to see.

Yes I remember seeing that in steemitwallet. It was like a pyramid diagram right? Haven't used steemit for a long time!

Are you asking me to cross post this to your FAQ community? Still getting my head around all that. Didn't know it actually copied the whole blog post and made a new one! Just thought it was like a resteem and shared it in like with FB groups.

Won't be making that mistake again lol.

Yup. That's it. I checked out steem wallet to get my quoted text on keys!

Im asking if I can use the @steem.faq account I made to cross-post. I don't expect you to fill up your blog with self-cross-posts. It's a weird feature and an annoying way to get a post on a niche community. Not sure why we can't just revamp the resteem to allow this...

Yea resteeming would make more sense for sure rather than this!

I'd say so but probably not for a month or so. Reckon there shouldn't be cross-posting on a live post which is something I discovered when doing my travel post a couple of days ago.

Hello!

This post has been manually curated, resteemed
and gifted with some virtually delicious cake
from the @helpiecake curation team!

Much love to you from all of us at @helpie!
Keep up the great work!


helpiecake

Manually curated by @priyanarc.


@helpie is a Community Witness.

Thank you ~♡~

This is definitely a post everyone should bookmark; just in case.
I've read the horror stories of this happening; and if you're like me, you are on steemit every day and this would absolutely throw a curve ball into life.

Absolutely. My intention is to help people understand the process so they are familiar in case the worst does happen or to help avoid messing up.
I would hate to have to figure everything out while watching some hacker power-down my account and wreck everything. The faster this process is done the better.

Bookmarked my friend and thank you for your time to create this great post!
Blessings!

It could as a matter of musfortunate become an important topic. I hope you or anyone never needs it.

I'll admit it isn't a ahiny or warm topic. However, I noticed a lack of info on this topic when posting the last one. A lot of it looked complicated and technical. But the procedure is simple and safe if one has access to their recent keys.

 9 months ago (edited)

Well, you are doing great things for the members with these kind of posts my friend. You should definitely continue with them as they are of much value and they should all be at the top in trending because of their importance.
Don't forget, I would still like to know why my posts lose value every day and then at 7 days lose another big cut.
Does it depend on the front end that one uses and how much does each front end charge?
Blessings!

Thanks. I find them helpful, too. Eventually I will make a directory of mine and others I find. But I want to wait a little while longer as there are so many changees happening now.

I'm planning to do it for next week. I have founded the difference between the front ends I use are similar (as I remember it used to be different maybe things were consolidated), the key is understanding how STU is calculated and the relation between that and Steem and SBD. Maybe I'll make a diagram to explain.

 9 months ago (edited)

Ah yes! A directory will be good methinks!

Another difficulty is for example to get 100 upvotes and only 5% are 10 cents and more.
The majority of the votes are $00.00, or .01 or .02
Can't they stop to show the low value votes, so that a person can better judge their progress?
Or does an empty vote have any value?

I think a filter could work to remove irrelevantvotes (<0.001 or even less than 0.01), especially if one wants to analyze the value of their post. But they are worth something as people seem to complain about tue equally valueless downvotes.

I think some people just like to see lots, but between me and you I'd rather have a comment than a low downvote.

SBD payments have stopped again so we won't see as much price change between Steem and SBD. Also it seems the excitement from Tron is now dying off a little. Maybe the price of Steem will slow its movements.

Well I have a list currently of 47 downvotes thus far and there might be some that I have missed. I just don't see any sense in it.
You are right as things seem to be calming down.
Blessings!

We are SO proud to have you as a member of our
FANTABULOUS Power House Creatives family!
uvoted and resteemed!

❤ MWAH!!! ❤

Power House Creatives _night mode.png

JOIN OUR DISCORD COMMUNITY
SUBSCRIBE TO OUR COMMUNITY FEED

LIKE OUR FB PAGE
FOLLOW US ON TWITTER

Posted using Partiko Android

Great =)

Hey @abitcoinskeptic, just want to say thank you very much for writing this post. I am in a kinda nightmare situation and this info has been invaluable to generating hope for a recovery of my main account, @barge.

You mention in the post that you are here to help. If I have any questions or doubts about the process may I approach you?

In gratitude
🙏

I hope you are able to recover your account. You need to check who the recovery account is set to (I hope it is not Steem/Steemit) and you must have access to a password that was used within the last 30 days.

Thanks for getting back!

The current situation is:

  • I changed my recovery account from Steem to an alt of mine (@nutraj) just 9 minutes before I changed the passwords (which I then lost). This was the start of the issue.
  • I was able to generate my old (last used 1 Oct) Owner keys using the old Master I had. I verified that the public owner key I got matched the one on my account as per the instructions in your post. I am therefore confident I have the required keys to initiate account recovery
  • I changed my recovery account at 2020-10-01 14:29:36 (UTC)
  • I changed my keys at 2020-10-01 14:38:57 (UTC)

I believe I'm covered. I have access to the recovery account and need to make sure I don't miss this tiny window of opportunity. I also need to ensure I have a backup PC ready as well as a hotspot from a mobile, in case of some freak circumstance affecting computer or network.

I'd be happy to hear your thoughts on this and my chances.

Many thanks again.

That is a tight schedule. It's a shame you lost your new password just after changing the recovery account, But a good thing you control all accounts.

I suggest you have your keys labelled ready in a note pad or something to just copy and paste.

You are lucky it's a couple weeks after the hardfork and the network should be stable.

I know huh, quite James Bondesque in a way!

I count my good fortunes. It could've been much worse if I had not thought to change the recovery account before changing passwords - doubt if Steem would be moved to recover Hive accounts. I'd be a gonner!

A stable network would be great. The nodes were playing up the day I lost my keys, as detailed in my post about it, but full and ultimate responsibility is mine.

I'll defo have the keys to had to copy and paste.

Thanks again, I'll be sure to update you after the 31st, when I can let go of this at last.

Hi again @abitcoinskeptic, I wonder if you're able to advise me a little more please:

I'm trying to perform an account recovery on HiveWorld as a practice run for my 9-min window. I have successfully requested the recovery and I see the 'incoming recovery request'. I enter the new and old owner keys as required but I then come across an error: "RPCError: missing required other authority:Missing Authority".

This is what I'm doing: using @nutraj to recover @callysnapper

  • Hiveworld > nutraj > request account recovery > enter new (randomly generated) pub owner key > sign tx as nutraj with keychain
  • Hiveworld > callysnapper > Account recovery > Incoming recovery request > [enter keys as reqd] > RPCERROR

I've done this over and over again with different keys for recovery and tried it in different browsers (brave, ff, chrome). I also tried changing the nodes in Hiveworld. Each time ditto.

Logically, I know the recovery process works..right? I mean, accs must have been recovered in the past and the process tested! Therefore either

  1. I am doing something wrong and/or am missing something
  2. or there is an issue with the network/nodes/HF24-kinda thing

I have been trying this for the past few hours and will now leave it until the next day.

Do you have any thoughts or advice or suggestions?

Many thanks

image.png

Ive never tried Hive World before, I used Steem world, but I imagine it is similar.

To send request you need to enter old private owner key, after pw changed, and new public owner key.

As recoverer, please make sure you enterting the same new public owner key and the same old public owner key of the recoveree account.

After go back tonthe recoelvered account and enter new private owner key.

I'll take a look at Hive World if that doesn't work.

Many thanks again for getting back to me, it is much appreciated.

I tried Hiveworld and I also tried https://hivetasks.com/account-recovery. Both continued to return RPC errors, just at different stages of the process.

However, thanks to @deathwing, I've now got another way in which has worked for recovering the above-mentioned test accounts and which should therefore work on the day of my 9-min window. This involved installing Python and broadcasting the transaction myself. Deathwing walked me through the process and we tested it together - it works! I'm utterly delighted and a bit nervous too. I'll breathe again normally after the 31st.

I'll let you know how it goes. Thank you so very much for your help with this 🙏

I wish you luck. Python is definitely the best solution, but definitely want to set up and test that first.

 9 months ago Reveal Comment