We've got quite a few articles and comments from people that seem to assume that if somebody stole your password they would automatically get your money. Even @Telesfor , who is generally pretty well-versed in these things seems to this so.
This is not true.
To get your money a thief needs access to your seed phrase.
Having just your password is not enough.
Don't believe me?
Let's see. I've created an account @NoSeedNoMoney .
This account has about $200 in balance.
You can even check the block explorer:
I should be careful to protect my password from thiefs, right?
Keep my password, which is
123verysecret for the account
NoSeedNoMoney a total secret, right?
Did I just tell you my password?
I surely did.
Don't get it?
Let me try again:
First one to take it gets to keep it!
EDIT (24 hours later): Even with password right in the open, nobody was able to steal the money, we returned it to where it originally came from via this transaction. Someone even decided to change the password :) that still didn't help to steal the money. Your money is safe, unless a) somebody has physical access to your computer; b) somebody has access to your seed phrase; or c) your computer has a virus, so that hackers have full access to it.
But you won't be able to take it, since only my device has the seed phrase.
My account at read.cash (which is what my password protects) doesn't have that seed phrase, so if you try to login with my password, you will be notified that your device doesn't have a seed phrase associated with this account.
That means that if somebody stole your money, then one of the following is true:
The thief bot access to your computer/mobile phone and sent your money from your device;
The thief got access to where you store the seed phrase;
You have a malware or virus that gives hackers access to their device (sometimes that can be a application that gives you free money or free services, like most of free VPN services, or "phone mining" apps - ask yourself why would a company give you something for free that they normally sell? What do they get in return?)
Ok, so if read.cash is so secure, then why do we keep telling people not to keep more than $20 in their online wallet?
Easy. Because even the biggest companies are vulnerable to server hacks. If hackers got to our infrastructure (it's hard, but even the biggest companies fall victims to this), then hackers could potentially replace the wallet code from an honest wallet that we have to something like "When a user logs in, just send all money to my account using user's seed phrase". So far, that has not happened, but to protect you from that risk we ask you not to keep big amounts in your online wallet or accept the risk.
But frankly, it's possible even with a phone app or a desktop app. You don't know what code is there and let's be honest, even if you had access to the code, you have no idea how to review it. (Ok, some of you know, but they are less than 1% of all people) So a wallet developer on a rampage could just as easily replace their honest wallet code with "send all money to us, ok, thanks bye!" and the next time you open your wallet on your phone - there's $0.00. So far that hasn't happened either, but it's possible too.
She claims that this transaction was not made by her.
She's right. She didn't do that transaction, because it's a transaction were somebody sent her $0.01 as a tip:
If you have questions like this, please don't write articles starting a public panic, but email us at email@example.com instead.
But read.cash sooner or later has to take up steps to make its wallet more robust and hack proof.
Dear @Broker , we took a lot of steps to make our wallet secure, we have thousands of users to confirm its security. You can confirm it yourself - login with the password we provided above and enjoy the security.
Unless you have a virus or a thief with a physical access to your device or your seed, your money is safe.
Don't spread the panic. And don't forget to keep your seed words secure. If you lose them - we won't be able to help you. Your money will sit forever on the blockchain, just like these guys.
EDIT: Some people opened the account and even commented below. The money is still untouched.
UPDATE: The money was eventually found, nothing was stolen.