## The Problem

The issue of users unknowingly exposing their private keys in memo while transferring their funds is a problem that has been time and again exposed by developers. The issue was raised by @noisy in a very famous article (6 months ago):

[We just hacked 11 accounts on Steemit! ~$21 749 in STEEM and SBD is under our control. But we are good guys 😇 So...](https://steemit.com/steemit/@noisy/we-just-hacked-11-accounts-on-steemit-1158-sbd-and-8250-steem-is-under-our-control-but-we-are-good-guys-so)

Then again the same problem was pointed out by popular steemit user [Jerry Banfield](https://steemit.com/@jerrybanfield), 2 months ago, in his article titled : [I Found $63,278 of Private Keys on Steemit.com in 10 Minutes!](https://steemit.com/steemit/@jerrybanfield/i-found-usd63-278-of-private-keys-on-steemit-com-in-10-minutes)

The private keys of user get exposed unknowingly as the users transfer their steem/SBD using the transfer option on steemit.

![image.png](https://res.cloudinary.com/hpiynhbhq/image/upload/v1511413927/yuq7nqcz9mktym6tg7ml.png)

In the memo field, users tend to enter their private memo keys. Some users have exposed even their master passwords in the memo field.

### How I accessed the exposed private keys:

It was really easy to query the steem database for exposed private keys using [SteemData](https://github.com/SteemData/steemdata-mongo). 

@Furion has provided an awesome tutorial on using **SteemData** titled: [Getting started with SteemData](https://steemit.com/steemdata/@furion/getting-started-with-steemdata).
**I used  [RoboMongo](https://robomongo.org/download) as a cross-platform GUI utility for playing around with SteemData.**

### Accessing master passwords

I used the following simple query to get master passwords exposed on steem blockchain:
```
db.getCollection('AccountOperations').find({'memo': /^P5/})
```
This query yields 28 results. These are 28 independent transactions after the last hard fork where the private keys got exposed. I checked the length of these keys using https://www.lettercount.com/. (Yes, the password length is 52 ). I checked this by repeatedly generating new passwords using generate new password option in steemit.
![image.png](https://res.cloudinary.com/hpiynhbhq/image/upload/v1511415095/za7nkxh4axgq7n5faetb.png)

The passwords have now been changed. That's a good thing. I will partially reveal only few of the account name and passwords anyway so that you know I am not bluffing. Anyways you can acess the other names by the query mentioned previously.

 |   Account Name | Private Key | Transaction id | Timestamp |
  |-------------------|--------------|------------------| ------------- |   
 |  @scigar  | P5HrWfmKXXXXX  | 5293f4c83846a2c4b50c1bf2c52381f260b9a06c  | 2017-06-03 23:17:57.000Z |
|@steemboad | P5JJYBFXXXXX | 70069c982e98e7917fe13093f63266d2f995c912 | 2017-11-12 09:15:54.000Z |
| @fittrex  | P5Kk17eRvytzXXXXX | b18ac26c09f88c1e4211e30a6094a41f2b965440 | 2017-10-13 00:32:00.000Z  |
| @herman2141  | P5JJYBFNwYrn1m9ZFHHGXXXX  | 70069c982e98e7917fe13093f63266d2f995c912  |  2017-11-12 09:15:54.000Z |
| @prosperous  | P5KDF2BRMQcCVcRDHuzT6iy2oNshZw1JqyMfSuV4QXXXXX  | f3d62cba41df96db0f55be9a0f0752cb5a4d6eab  | 2017-06-15 00:48:21.000Z  |

### Accessing private memo/posting keys.

Hundreds, if not thousands of private memo keys have been exposed publicly in the blockchain transaction memos. Since these are publicly available, I will mention some them. They can be used to login to the accounts although any other action like posting/voting requires private posting keys.

I used the query mentioned below:
```
db.getCollection('AccountOperations').find({'memo': /^5/})
```
Then I checked which keys contained 51 characters. This gave me *private memo keys* or *private posting keys* of a large number of accounts. Some of them I will disclose below. I sincerely request these account owners to reset their passwords.

|   Account Name | Private Key | Transaction id | Timestamp |
  |-------------------|--------------|------------------| ------------- |   
 |  @bestjt  | 5K1deWWcqGecvzsfNWDSPGZHTwXXXXXXX  | ed26183ec4284c568e30c6fc2ce190db1dc14438  | 2017-11-16 17:23:48.000Z |
|@beoped | 5KU12e2JPyh31iz5bYLKXVCAi4y79366gPku2keEwJ1XXXX | 3d562b3acebab7936da253e3671f71b0b4d83cf6  | 2017-11-16 14:00:36.000Z |
| @ccoindigger  | 5K1UyjjZiVpUH2mAFdnChfZH2fEFte2qk8EVfCVDXXXXXX | 3cb3e6fe46733f9dd2be60453594be429deaf2bd | 2017-11-09 21:35:24.000Z  |
| @caspell  | 5Ka2iTeUpzWYSYdF8wcw2pkf2tsMGr7QeTLsi7qC4GxmXXXXXX  | de2df1c7fde1dc8bb5ac2093f9a865293e81605a  | 2017-11-15 03:06:57.000Z |
| @cryptocryptov  | 5Jqu16YDY83QKWWnwDinwmKhxK51DuCjdduXXXXX | ac39c483bd8cb7f21672a48f3fd9b5dde64c0861  | 2017-11-16 05:16:06.000Z |

Hundreds of other private memo keys have also been exposed. It is a sincere request to all users to not enter their private keys as memos. Please spread awareness about this issue so that the problem can be resolved. As of now, the memo keys don't really do much. But in future, they may perform important functions as steem blockchain evolves.

### Last 10 days Data Analysis:

Analysing last 10 days data for date-wise number of transactions exposing private keys we find the following pattern:

![image.png](https://res.cloudinary.com/hpiynhbhq/image/upload/v1511437862/bzxlk9kzvqipynlwdfdi.png)



Thank You and take care.

<br /><hr/><em>Posted on <a href="https://utopian.io/utopian-io/@shreyasgune/hack-alert-users-exposing-private-keys-in-memo-while-transfer">Utopian.io -  Rewarding Open Source Contributors</a></em><hr/>