SPLINTERLANDS'S RENTAL SYSTEM HAS BEEN HACKED?
During the night of September 27 to the morning of September 28, many DEC balances were stolen from many accounts, the stolen accounts will arbitrarily rent a card of a character with the nick name @genrysehydo, this person uses a common card. leased at sky-high prices and then used stolen accounts to rent in order to steal DEC to his account, currently there are more than 288,000 DEC stolen from 13 different accounts. Also some accounts have not only stolen DEC balance but also all cards stolen.
The case is being resolved by support, it is possible that these hacked accounts will not be refunded.
Please be very careful with the security of your account.
Link of hacker's transaction history:
https://peakmonsters.com/@genrysehydo/rental_history
https://peakmonsters.com/@genrysehydo/cards
I feel like if this was a hack it would have been significantly more than just 13 accounts, especially if it was a hack of Splinterlands itself or the dominant market websites. This seems more like the results of phishing. IE the victims unknowingly gave away their posting key or perhaps authorized to a very poorly designed 3rd party or even fake website. I'm going to be following this to find out.
I asked some one of 13 peoples, they are not sign in on the fake website or let's their keys or password be unsafe. This is the error of the market so the hacker can use it to hacked.
13+1, I have strong feeling that it's keys issue
I am a software developer and in the past I have never had any account hacked or visited scam websites. I know how to spot a scam site and how to secure an account
Congratulations @hyun-soo! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :
Your next target is to reach 50 upvotes.
You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word
STOPCheck out the last post from @hivebuzz:
Refuse to refund is very bad move.
Since the account is generated by the game, the genesis hive keys is belong to the game.
The stolen DEC is in game, the game have totally authority to manage the in-game asset.
Yet they refuse to refund?
Did you disabled the active-key requirement to transact assets in the game. Picture above. If you did, then anyone with your posting key could have done this. Your posting key might have been compromised earlier and that gave the hacker further opportunity. If you haven't then you leaked the active-key too.
The account that creates your account has nothing to do with this. You own your keys, not splinterlands.
In-game DEC is still yours... but if the above option changes... then its a big risk if your posting keys are leaked (because they will allow DEC/assets to be moved without active key).
Mate... think a bit more...
I think you might be new to HIVE or you don't know yet things around... Well, then let me help with two things:
First, please moderate your statements because they incur confusions and the wrong perception of what is actually happening. And if you don't care, you will just get downvoted because no one in their right mind accepts the HIVE pool to be withdrawn for this. So, either do more research before posting this, or refuse rewards before posting things like this. This is a recommendation, you do what you wish.
Second, if people got their accounts hacked it was either because of bad passwords/emails... or because they leaked their private keys on a fake website/link. Then the hacker took opportunity to get access to those accounts while people didn't change to new keys. It's the user responsibility, not splinterlands. Remember you own your keys and you own your DEC, even if inside the game.
Depending on this option being set on your account (which I highly recommend):
You can't move DEC (even inside the in-game balance) without active-key... so... unless the active-keys of those accounts were leaked as well, no one can do anything.
If the above option is not set, then you are telling splinterlands that the active key is not required to move assets in-game. I believe the default is to require active-key, so users disabling this need to understand what are they doing.
The system is not broken, people just need to learn more.