It has recently come to our attention that there is a list of Splinterlands account usernames, passwords, and in some cases private keys, that has been circulating online for some time. In the vast majority of the cases, the data contained only Splinterlands website passwords or posting keys, which do not allow any assets to be transferred out of players' accounts, but there were also some active keys and master passwords.
We have looked into this and determined that this information was most likely gleaned from users' personal devices that were likely infected with some type of malware over the past few years. There is no indication that any Splinterlands servers or products have been comprised in any way.
That being said, we take security very seriously both for ourselves and for our community, so we wanted to take this opportunity to remind everyone about the security features and best practices available with both Splinterlands and the Hive blockchain to help prevent players' information and assets from being stolen going forward.
Additionally, we have already reached out individually to all users whose information was found to be compromised to notify them and help them to secure their accounts.
Hive / Splinterlands Security
One of the reasons Splinterlands was originally built, and continues to remain on the Hive blockchain is that Hive has some of the best security features of any blockchain platform available, even today, many years later.
These features allow players to secure their assets in such a way that even if all of their keys are compromised they are still able to recover their account without losing much at all. The Splinterlands support team has been helping players who have been compromised through this process for many years and it works quite well.
The following best practices will ensure that your account is set up properly to allow a full recovery in the event that your keys are compromised.
1. Use Hive Keychain
First and foremost, we highly encourage everyone to use the Hive Keychain browser extension in order to interact with Splinterlands (or any other Hive apps for that matter). While this won't necessarily protect you if you get malware on your device, it does reduce the possible attack vectors significantly and, on top of that, it's much more convenient than copy/pasting your keys into the website.
For more information, please see the following Splinterlands support article: Hive Keychain Installation & Usage
2. Stake / Lock Assets
Next, we advise that everyone stakes or locks as many of their Splinterlands assets as possible in their account. Most assets within Splinterlands can be staked or locked in some way and this allows you time to recover your account in the event that your keys get compromised before any assets are able to be transferred out.
3. Sign Up for Notifications
We also recommend that everyone sign up for notifications regarding actions on their Hive wallets. For this, we recommend the F.R.I.D.A.Y service, built and maintained by @deathwing, which provides Discord notifications when various actions happen on your account.
You can join the Discord server and set up notifications for your account at the following link: friday.deathwing.me
We recommend setting up notifications at a minimum for outgoing transfers, account update, and recovery account change events on your Hive wallet, as these transactions will often be the first that happen if a wallet is compromised.
4. Review Recovery Account
Last, but not least, we encourage everyone to review the recovery account that is listed on their Hive account. The recovery account is another Hive account that can help recover your account in the event that your keys get compromised and changed without your permission.
Most players who created their accounts through Splinterlands should have "steemmonsters" (or in a few cases "postpromoter" or "ocdb" which were other accounts used by Splinterlands in the past) as their recovery account. In the event that your keys are compromised and changed, you will be able to verify your identity with us and we can help you to recover your account (which is a process we have helped many players with over the years).
If you do not wish to have Splinterlands as your recovery partner, that is fine, but we recommend you set it to an account owned by someone you know and trust. It is important that you do NOT set your recovery account to another account that you have the keys to. If you do this, then it is likely that keys to both accounts will be obtained if you are compromised and then the account will not be able to be recovered at all.
To check your recovery account you can go to hivehub.dev, enter your Hive account name in the search box, then click on the "Account Blockchain Data" button on the top right, and scroll down to the "Recovery Account" item.
If you wish to change your recovery account, please see the following support article which can walk you through the process: How to Change Your Recovery Account
5. Change Your Keys
Unlike most other blockchain platforms, Hive allows users to change their private keys. If you have any concerns at all that your keys may be compromised, go ahead and change them.
Please keep in mind, however, that if your account was created through Splinterlands and you change your Hive keys, we will not be able to help you recover them if you lose them. We can still help with the recovery process if your keys are compromised, but not if you lose them yourself.
For instructions on changing your Hive keys, please see the following Splinterlands support articles:
General Security
In addition to setting up your Hive wallet properly, it is important to review general security best practices to hopefully prevent your keys or passwords from being compromised in the first place.
Please see the following Splinterlands support article for general security best practices: Basic Recommendations to Keep Your Accounts Secure
Nice tool by deathwing, I registered on it
Up to date security conscious is very important.
Thanks for sharing these support services available to us!
👍