Yup, this is exactly what I have been shouting about for weeks now and expected would eventually happen. I am happy that you are a white hat and didn't take control of the accounts for yourself to profit from.

I believe it is better to push away new users with less user friendly registration (that forces them to use a randomly generated key that they must store securely and use password managers to manage) than to bring them aboard easily only to completely piss them off when their account or funds are stolen [1]. It is our job to make it as user-friendly as possible and to provide great resources educating users how to generate and manage random high-entropy passwords. But I don't agree with compromising their security because it is "too hard" and we don't want to lose them as new users.

[1] Although the new recovery feature allows them to get their account back. Most funds are usually locked in the time-locked Steem Power, so hopefully not too much financial damage would be done by the time they recover their account. And there are plans for a user opt-in and configurable time-locked savings account to even protect their more liquid STEEM and Steem Dollar funds from being stolen by hackers assuming they recover their account in a few days.

This is why I proposed 2FA. I understand 2FA is hard to implement on the blockchain but as the saying goes "when there is a will there is a way". I feel very unsafe on this platform without 2FA. Please read this https://steemit.com/steemit/@domavila/two-factor-authentication-and-why-we-need-it-now

That's pretty terrifying, and it's a good job that you posted this... It hadn't occurred that *of course* hashed passwords are going to be freely available offline because in using a web UI you're used to the assumptions of a traditional web model.

Good on you (assuming you did what you said) for just reassigning back to Steemit. Sounds like we do really need 2FA or generated only passwords... It's a shame that browser tooling around SSL client certs is so user unfriendly, having a client cert as a per-browser alternative to the generated password would be a good way of removing the usability barrier. Users would obviously still have to store their password but they could use the installed client cert for day-to-day auth and just use the password for requesting new certs for new devices.

im actually kind of suprised.  When they said that the hacker had private keys, i was thinking he could hashcat them to get passwords... but i figured with 16 characters that would take an unreasonable amount of time.  
I figured with a 16 digit password even the weakest passwords would be relatively hard to guess... though i do support 2FA

TBH, i think this is a pretty shitty thing to do.  It definitely isnt ethical hacking, and one can only hope that the owners pursue legal measures if your claims are true.
I agree with your point.. but i dont think you should be fucking with other peoples money to make it.

robinhood, can you send me an email ned at steemit dot com