How Do You Recover Your Stolen Steem Account? Are You a Recovery Account Owner? Do You Even Know? This Tutorial Will Help!

in account-recovery •  4 months ago  (edited)

Most people, when they hear about account recovery on Steem, think about the image below from steemitwallet.com. That is the beginning of the process Steemit, Inc. has for account recovery which is most likely targeted for users who joined Steem via steemit.com or who can provide the same level of proof of identity when asking to recover their accounts. Why that? Because the duty of a recovery account owner is to make sure whoever is asking for the account recovery is the real owner of the account, before initiating the account recovery procedure.
image.png

I've written about account recovery here as well, but felt this followup tutorial is needed. However, in the second part of the linked post above and the great comments (thank you @steemchiller and especially @crokkon, with whom I had a longer conversation), you can find answers to questions like:

  • what is a recovery account?
  • how can you find which is your recovery account?
  • how can you change your recovery account?
  • and why would you change your recovery account?

I've mentioned above the duty of recovery account owners: to make sure they only initiate the recovery procedure at the request of the real owner. Otherwise a hacker could claim the account as their own.

But what is the duty of any steemian? To make sure they have a proper recovery account. What's that, "proper" recovery account? Well, if you created the account via steemit.com, steem.ninja, even anonsteem, they have well-established processes for account recovery. If a major dapp created the account for you (but read below for exceptions!), it is likely they formalized this process to some extent as well, but it doesn't hurt to ask how would account recovery process work for them.

It is possible that a (d)app which is now inactive, owner isn't reachable etc. created the account for you. In this case, I highly recommend that you use change your recovery account! See steemchiller's comment to learn how to do it from SteemWorld, but also note that the change happens 30 days after your request, so you won't see any change for 30 days (to avoid the case when a hacker would quickly change the recovery account to an account he controls).

And the final situation I'll mention. Many regular steemians created "free" accounts by claiming tickets with their resource credits and then creating accounts for friends, family, associates, and people they may not even know.

If you guys are tight, the only concern is that the recovery account owner is aware (s)he has such a role and (s)he might be needed at some point. And they should know what to do in such a case, so it would help if they read this tutorial before there's a fire to put down. If the recovery account holder doesn't feel up to the task or you don't trust him/her to be there for you when you need him/her, change your recovery account! But don't set a random account or @steem as a recovery account. Set one to which you can easily prove you are who you say you are. It's best if you talked outside Steem on more than one occasions, maybe met.

So, before we go to the tutorial itself, let's answer the question in the title the simple way.

Are you a recovery account owner (also referred to as 'trustees')? If you created an account for anyone (including alts for yourself) and they haven't changed their recovery account, you certainly are!

And now, let's see, step by step, how does the account recovery process go.

You have a few options to go through the account recovery process, as @crokkon pointed out:

For the tutorial I chose SteemWorld, because it's a high-profile tool that most steemians know.

Let's describe the steps one would need to take to have their account recovered.
A. Contact your recovery account and send him/her a NEW public owner key for the account which needs to be recovered.
B. The recovery account owner must verify in a way that you are who you say you are, the real account owner. After (s)he does that,
C. The recovery account initiates an account recovery request, using your username and the new public owner key you provided.
D. You go ahead with the account recovery on your end, by using a recent public owner key. You'll then be asked the recent private owner key and then your new private owner key to finally confirm it.

Now let's see the process in details and walking through a real example.

1. Which Is Your Recovery Account?

Before you begin, you need to make sure which is the recovery account for the account you need recovered. You can do this from SteemWorld, General Data page, "Recovery Account". Here I explained how you can do it from steemd.

image.png

In my case it's simple. I created a test account yesterday "testuser123", using a claim ticket. And my account @gadrian was set as the recovery account.

2. Generating a New Master Password, to Have New Owner Keys

Throughout the process I explained in steps A-D, you need both the public and private versions of a NEW owner key pair.

So you need to generate new owner keys. The simplest way to do that, without changing the password (which you might not even be able to do if your account was compromised), is to generate a random master password on SteemWorld.

Generating this random password is done purely at the interface level, it won't affect your account in any way. So you won't have a new master password on your account after using this tool. If you need a new master password, you should use "Change Password" option instead.

But what you will have is new owner keys (both public and private), based on your account name and a randomly generated password. And that's what you need.

image.png

So, as the screenshot shows, you'll use the "Key Generator" option from the left and on the page fill in the username of the account to be recovered, then click "Generate Random".

YOU WILL NEED TO STORE BOTH THE PRIVATE AND THE PUBLIC OWNER KEYS THAT ARE BROKEN DOWN FROM THIS RANDOM MASTER PASSWORD, AS YOU WILL NEED BOTH LATER ON.

Contact the recovery account owner and give him/her the PUBLIC owner key, soliciting to recover your account.

3. Recovery Account Owner's Turn During This Step

After the recovery account owner verifies that you are indeed the true owner of the account, (s)he will request an account recovery, using the username of the account to recover and the new public owner key, which you provided.

image.png

4. Your Turn to Continue and Finish the Account Recovery Process

After the request to recover your account has been initiated by the recovery account, it's your turn. You will see the active account recovery request from the same page on SteemWord: Account Recovery tool, from the left sidebar, down the page.

If you do nothing for 24 hours the account recovery request will expire and nothing will happen.

To continue with the account recovery request, you'll need to add a public owner key recently used on the account to recover. It may be a good idea to check and see if the new public owner key from above is the same as the one you transmitted to the recovery account owner. Then click "Recover Account".

image.png

You'll be asked to enter the PRIVATE NEW owner key,

image.png

the PRIVATE recent owner key (which matches the public recent owner key you provided earlier) to finally confirm the account recovery.

image.png

If you haven't used the recent private owner key to sign anything on the blockchain yet, you'll receive this error, like I did:

image.png

That makes sense, one doesn't need account recovery if one's private owner key hasn't been changed by an intruder. Otherwise a simple password change + removal of authorities given away is enough if only one private key (like the private posting key) has been compromised.

If the account recovery is successful, you'll have no more incoming recovery requests,
image.png

and on the blockchain you'll have this operation:
image.png

5. Don't Forget to Change Your Master Password After You're Done!

At least 1 hour after the account recovery, don't forget to change the master password for the recovered account. Evidently, store the new master password safely, as well as the new private keys.

Conclusion

It is important that both recovery account owners (increasing in number compared to the past due to the claim tickets affordable to anyone having access to at least dolphin-size SP), and the regular steemians know what to do if their accounts or accounts they are set as recovery accounts for get stolen.

I find it a good practice to have some idea about it before the unfortunate situation when we need to apply this knowledge hastily.

I went through the process for my own benefit, to learn, but by documenting the process this tutorial might help others avoid an unpleasant situation.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Thanks for creating this tutorial! I agree, the best way to learn the unknown is by trying it oneself. That's also true for developing software and many other things in life.

I plan to create an overview of SteemWorld tutorials in future and I will include a link to this one in there. Would be nice, if you could add the tag #steemworld, so I can find it later easily without going through my whole blog ;)

Yup, doing it yourself, that's the best way to learn in my experience as well.

Would be nice, if you could add the tag #steemworld, so I can find it later easily without going through my whole blog ;)

You got it! Thanks! :)

congratulation! You're probably now among the 0.01% of Steem users who ever did this :D
great write-up, this can be really helpful for others!

Lol, it's nice being among the 0.01% Steem users at anything!

Good test!

Yup, I messed up a bit at first and had to request account recovery again. But it was a good learning experience.

This is a really great guide @gadrian, and thanks for all the hard work you put in to make it, stay awesome.

Thanks mate, appreciate it! Yup, it took some time to put it together, testing, documenting each step and putting it into the post. But hopefully someone, when they'll really need it, will find it helpful.

That is great and I am sure it will be helpful.

Congratulations @gadrian! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You published a post every day of the week

You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

To support your work, I also upvoted your post!

Vote for @Steemitboard as a witness to get one more award and increased upvotes!