With all the official statements regarding the hacking incident published on the official @utopian-io account, I still believe there is still room for explanation on by behalf on the incident, what happened, how and why.
In this post I’ve included an FAQ about the incident, and my own personal outlook on the present and future of the Utopian.io project.
- The servers hosting the main Utopian backend services were compromised and the entire filesystem was erased.
- Images and backups from the last month were erased from CDN.
- SteemConnect tokens that were stored in the production database were leaked and used for bulk upvoting of random post and a downvote attack on a prominent stakeholder on the STEEM blockchain.
Why was Utopian storing users’ tokens in its database?
SteemConnect allows for some unique features. One of these features, that was extensively used by what was the Utopian.io frontend and backend, were the refresh tokens.
SteemConnect refresh tokens allow applications to post, vote and perform other basic Steem functions on behalf of the user, client side or server side, without the user having to directly accept the action. These tokens do not enable the transfer of funds, wallet actions or access to account keys.
Utopian was using the SteemConnect Refresh Tokens to:
- Store post submission data, such as the community quality score, moderation data, as well as other data necessary for the functionality of the Utopian frontend.
- Automate rewards for Moderators and Community managers by posting on their behalf as per the @utopian.stats model.
Were the tokens used by Utopian for any other purposes?
Utopian.io never used the tokens for anything that wasn’t immediately obvious for system functionality and integration with the steem blockchain as detailed above.
Is SteemConnect Secure? Should I be worried if I am using SteemConnect?
As previously stated, we see no direct risk in using SteemConnect. The attack was targeted against Utopian.io and there is no evidence that the attack came from a SteemConnect leak in any way. Other platforms may or may not store SteemConnect refresh tokens. It is up to the platform to decide if and how to secure them.
Why didn’t Utopian recommend to users to change their keys immediately?
The Utopian team is made up primarily of developers, and we have always been working closely with Busy.org and SteemConnect. It was instantly clear that no wallets or keys could have been compromised in this incident in any way, which made it unnecessary to change passwords and keys to ensure their security.
The only way for your key to have been leaked would have been a direct attack on SteemConnect and by accessing your client directly during login. Neither is very likely to happen and is far from what occured here.
Was the Utopian.io interface properly secured?
All the machines were thoroughly protected and credentials were owned by a handful of people who needed direct access to the servers for various reasons.
The Utopian.io frontend did not show signs of flaws that could have permitted an attacker direct access to realise such a disruptive action.
The production server was hosted with a well known hosting provider used by multiple leading companies and brands, and was secured based on the latest standards.
The CDN was hosted with a different provider, which lowers the chance of a simultaneous attack and loss of data.
Why was the attack suspected as internal?
As a CEO, handling a situation like this one is challenging. I wish to clarify that no one should ever be accused or suspected without clear and verifiable evidence. Utopian has been a place of collaboration for many gifted professionals worked in the past, and the information below is not, by any means, meant to show any of them in a bad light.
What I can bring here are facts regarding what happened and how we managed it.
- The attacker had intimate knowledge on the location of data and backups on different servers with different service providers, allowing them make sure no data was safe.
- The attacker knew the SteemConnect secret and refresh tokens were revoked.
- The attacker knew that even though refresh tokens were revoked accessing the new secret key on the server would have been sufficient to cast votes on behalf of the user.
- The attacker maintained a backdoor on the main production server with daily root passwords and ssh key changes a few days before the attack.
- The attacker knew what to access in AWS and what data to delete. We have evidences the access to the AWS application could have been kept on the mobile app, even though the auth credentials were changed.
- We got reports of unusual activities on the blockchain before and during the attack.
- Unusual activities on behalf of Utopian took place a few days before the main attack. For that reason tokens, secrets and other credentials were already changed everywhere. It is evident the attacker or attackers planned this attack and were successful in acquiring backdoor access to be used at the right time to act for maximal damage to Utopian.
Could this attack have been avoided?
This incident was taken very seriously by us, and we took the time to consider and learn from the mistakes made. Many companies and organizations regularly face breaches and attacks on their infrastructure. We are certain that better internal organizational processes could have been adopted to prevent such potential issues.
We consider this a lesson learn, and will take all precautions and steps necessary to ensure nothing like this every happens again. In addition, we will ensure no user tokens are required to be stored on our services in the future.
Why is the Utopian.io interface kept offline?
As a CEO, I will not take the risks entailed in bringing back a potentially flawed platform, even though the attack on Utopian was most likely not caused by any such flaw. This is to ensure the security of users’ accounts and to show the community our will to protect them at any cost.
It is also worth noting that Utopian.io was born as a proof of concept and a prototype. Utopian.io grew at an unexpected pace - much too fast for us to keep developing the prototype and supporting the existing community, all while working on a finalized and market-ready product.
Utopian aims to be a serious and professional business on the STEEM blockchain and create a sustainable solution for the open source community. It is our goal to be seen as such by entities on every level, in and outside the STEEM blockchain.
To make this utopian vision a sustainable reality, it is necessary for us to focus on the development of a solid, secure and scalable solution rather than continue developing a prototype.
The hacking incident was just another reason that made it clear that such a drastic decision had to be made.
Where is Utopian now?
We are right where we were - the STEEM blockchain.
The true value of Utopian is not in its interface or frontend, but in knowledge and people.
Guidelines that we have built with blood, sweat and lot experience, and through which we’ve learned many valuable lessons. https://join.utopian.io/rules is the result of efforts on behalf of dozens of professionals in the Steem community, created and optimized to enable the cohesive and organized submission of the best quality contributions and contents possible. Such guidelines are an asset and they not going anywhere.
Our Moderation teams. We have been selecting the best out of the best professionals on the Steem blockchain to help us review and improve contributions. They are our biggest asset, and as evident by their massive support in the past days - they are not going anywhere. For that, they will continue to be rewarded for the amazing work they do same as they were in the past.
When will the Utopian.io interface be back?
We aim to release an improved version of Utopian.io as soon as possible, while keeping all our processes functional. In developing the next generation of Utopian, we will focus mainly on ensuring stability and security.
Expect additional future updates on our progress.
Was the Utopian.io frontend necessary for Utopian to exist?
No, as is evident by the continued influx of contributions, renewed as soon as we announced contributions were once again welcome.
To submit contributions to Utopian.io the community can use any existing STEEM frontend, and our team can continue its curation work we did so far. While development efforts are focused on completing and delivering an improved new frontend solution, not a single operation of Utopian is being paused due to the deactivation of the old one.
Use the platform of your choice to publish your contribution - Busy.org, Steemit.com, Esteem and others.
Zero Beneficiaries Required. While Utopian is no longer added as an automatic beneficiary, you may still choose to share your rewards with Utopian.
We Made It!
As a CEO of this company I had to go through every possible challenge since I created Utopian.
- Battling scamming and abuse, both internally and externally.
- Teaching and guiding the community to provide valuable work.
- Continuous iteration on our guidelines.
- Fixing technical issues, internally and externally.
I am fully happy to have dedicated myself fully to this project. I see its potentials. I stick to the vision.
But nothing could have been achieved without the support of the Utopian team and community before and after the attack on Utopian servers.
The team members who worked with me in this challenging time are the passionate professionals we need to make this blockchain and Utopian a global success. I can’t mention them all as this post would then never end, so I will start by apologizing to everyone I’ve failed to mention. Here are my some of my heroes, in no particular order:
The person who prioritizes quality, fights abuse and strives to grow the wealth of the platform.
The pink lady who corrects my English, does PR everywhere, brainstorms on solutions, manages content and people to produce it, engages the core team and the community... I could go on, but the list is always growing.
It is hard to imagine what the video tutorials category would on Utopian would look like without him.
A great developer. You ask for help, he fixed it before you even asked.
Another great developer. He was here during and after the attack making sure we had the tools to keep going.
This guy has been here from almost the start, participated to each and every conference, helped on any possible scenario and managed his team and the tutorials category wonderfully.
I can’t think of any other person who cares more about how we present ourselves publicly and brainstorming around solutions to make us improve on a daily basis.
Whatever I needed something to be written well and fast - he was there. Whatever the day, whatever the time.
@favcau, @jmromero, @tobias-g, @Deathwing, @eastmael, @helo, @scipio, @mkt, @emrebeyler, @justyy, @knowledges, @roj, @rosatravels, @portugalcoin, @sirfreeman, @icaro, @sachincool, @therealwolf, @stoodkev, @wehmoen, @paulag, @abh12345, @crokkon, @codingdefined, @andrejcibik, @samrg472, @oups and others.
All the people who worked with us in the past and now, all our collaborators, Community Managers and Moderators; they have been there to help before, during and after the incident to keep the community engaged and updated. They have been there tackle any issue, any complaint and even harassment for one simple reason:
WE ARE UTOPIAN
And we’re not about to stop.