I am very impressed with prompt reaction by steemit.com management team to deal with the hacking incident that happened on July 14th, and I guess they may still work hard on finding other vulnerabilities that the attack may use in the future.
It may be too early for the steemit team to announce all details, but I could not find even basic information about the attack vector of the hacking except that the hacking was not on blockchain protocol levels, rather was on steemit.com's user authorization level. I doubt the attack vector was the end users' careless password management because even steemit.com CEO's account was compromised.
https://steemit.com/steemit/@libdep/ceo-of-steem-powering-down
Without understanding the attack vector, we can not be sure the vulnerabilities that the attacked used are now fixed or at least temporarily curtailed before a more fundamental solution is implemented.
So here are my questions regarding the attack vector.
(1) How the attack could compromise the target accounts?
(2) Steemit.com's server was also compromised?
(3) If (2) is not, a malicious client code on an individual post could compromise the readers' passwords?
(4) Then what is the solution to prevent the same kind of attack in the future?
Also I have some more questions about the remedies to take care of the damages caused by the attack on the following two postings;
https://steemit.com/steemit/@steemitblog/important-security-announcement-steemit-ceo-ned-scott
https://steemit.com/steemit/@steemit3/first-update-to-july-14-security-announcement-from-steemit-ceo-ned-scott
"the Steemit team has been able to coordinate with elected witnesses to secure potentially compromised accounts with balances exceeding $100 US. As a result, we can ensure these accounts are restored to their rightful owners. This process has been completed."
"Within the next 48 hours, Steemit will begin to allow all newly secured accounts to reset their passwords simply by logging in with the same Facebook or Reddit credentials that were used to register in the first place."
" Any users whose accounts were compromised will be completely reimbursed."
(5) Those remedies require any state changes on the blockchain?
(6) "reimbursed" means the transaction the hacked incurred will be rollbacked? Or steemit.com will pay the compromised accounts with their own fund?
(7) Where is the stolen fund of $85,000 (SD?) now? They already hit on the exchange, and were traded?
(8) Who has authority to reset users' passwords? Is it allowed to change someone's password without acquiring the user's password (or private keys)?
Changing passwords means changing private keys because the private keys are generated from the passwords.
https://steemit.com/steemhelp/@dantheman/get-your-private-key-from-your-steemit
In the future, if steemit.com wants, they can reset any users' private keys on their own discretion?
I don't belong to the so called "blockchain immutability" or "code is law" religion. However if any changes are needed to happen on the blockchain, I think they should be clearly notified, justified, and the action should be consent by the members or the appropriate decision makers.
Maybe a lot of users on steemit.com don't care about these issues as far as their money are safe and steemit.com still works, and want to rely on steemit.com inc's professional risk management capacity. However this kind of mentality is closer to the current centralized model that they try to overcome?