My NNS has been stolen,Please help me

How did you come to this conclusion?

This is very concerning, how did this happen?

I think the IC is not ready to have people outside dfinity call for a proposal that changes the code, first thing for that to happen is for the complete codebase and build to be public. I think people can start proposing motion proposals but dfinity can say no to a motion proposal even if it passes because motion proposals don’t change the code they just make a vote. With that said, a motion proposal may be a good way to get dfinity to start working on switching the internet identity mnemonic phrase for @xiaobing if the community votes on it and if dfinity sees that the community wants it (maybe they will do it, but maybe not). I think if you are going to make a motion proposal, then for people to see what’s going on, to put the evidence and the account trail somewhere public so people can see and ask questions before you make the proposal. One last thing I can say is maybe try to contact this place https://support.internetcomputer.org/

I think a fairly easy to implement and safe solution would be to add an account level setting “new recovery device activation delay” and a per recovery device setting during add like “dissolve delay” - explicit remove required after that.

The first does not allow to the hacker to register his device immediately, the second doesnt let him to kick other devices.

In this particular case xiaobing checked the account every 2 days and plannad for long term so he could have set the first delay to six months.
His recovery yubikey also could have some long dissolve delay.

Note that I’m talking about recovery device management only.

Some warning would be nice about recovery device changes.

Basically the idea is if there is no way to immediately give the account to somebody then nobody can steal it.

Ok, thanks for your support, I will update the latest progress here

Dfinity’s technicians analyzed the account’s historical block information and discovered that my mnemonic had been changed. For their help in letting me know what’s going on

Several time, I have posted that we should have better security (2FA, etc) for our neurons. Just found out about how easy it would be to hack fingerprint login. I will remove all mine from II. I hope Dfinty will work on this as priority. Protecting investors has no value.
Please see video: Kraken Security Labs Bypasses Biometric Security With $5 In Materials - YouTube

The safest authentication method has been and still is a security key. Ideally, you can use one with a PIN, such as the a Ledger Nano with Fido u2f enabled. The vast majority of hacking is done by social engineering and stolen passwords, and physical attacks like this are statistically a low risk

I did to. @zire, we really need to prevent this king of issues by making necessary to enter the seedphrase before being able to supress it ! At least, it would allow to not lose forever out neurons and our staked ICP. I just started a new post about this, more and more people scare about this ! This can’t be delayed anymore. Otherwise, the world will spread quickly and people won’t stake anymore.

We just need to have to enter the seedphrase before being able to supress it ! This must be set ASAP.

DFINITY team has worked with @xiaobing on this case pretty extensively in the last few weeks and devoted substantial engineering resources in the investigation. It was a high priority item for us, given the potential implications. I’ve met with OP @xiaobing in person once and had 2 zoom-calls with @PaulLiu connecting from the West Coast. I’ll write up a post to explain what happened. In short, the data trail revealed by the investigation suggested that:

• This was not caused by any bug in the Internet Computer
• OP’s computer was most likely hacked and the hacker very likely had physical access to his laptop.

Stay tuned for the post that will explain in details what DFINITY did to help the OP, the full story behind OP’s case, and what we can learn from the investigation.

I don’t deny your availability, I don’t doubt about it one sec. But whatever the singularities of this case, every one suffer of the possibility of having his seedphrase suppressed easily, cause the seedphrase is not asked for this, so everyone risks to lose forever Identity, neurons, and staked ICP

Exactly, physical access to the laptop. But he would not have suffered this loss of control if the seedphrase had not been changeable without having to enter the seedphrase in the first place.

I think that even if this is not the alpha and the omega, set this would be a very important security layer. Afterwhat, the rest could be improve. But firstly, we can’t be able to supress as easily the seedphrase anymore. Just set the necessity of log the seedphrase before being able to change it or supress it. We will avoid a lot of issues.

@Roman You can carry on with your usual activities on NNS and Internet Computer with staking and etc. There is no need to be scared. Good old Internet Computer works fine, as far as we know.

There is a reason why no other similar case to @xiaobing has been reported anywhere in the community. So far it seems to be a singular, one-of-a-kind case, that does not apply to other users.

It’s highly probable that the OP got hacked by an insider. It’s not pleasant to present this scenario, but after eliminating all other possibilities, this is the one scenario that could not be categorically ruled out.

But @zire, is it in coding term heavy to set the necessity of enter the seedphrase being able to suppress it ? Because not doing it is a very risky gamble. Don’t you think this is a god idea ?
you have to know that I almost not use ICP, because I am too scared to install iPhone and Touch ID on my Mac, because anyone hacking or stealing my phone/Mac, could suppress my seedphrase easily. Consequence, I don’t use any app. I have to connect my ledger FIDOU2F before any use of ICP, so I do it once a day, to merge my maturity, but don’t have patience to to it each time I can’t to use ICP. So I don’t. I won’t be alone.

Except if we use yubikey or ledger FIDO(U2F), anybody stealing a Mac or a iPhone could suppress the seedphrase in one moment. By not setting the necessity of entering the seedphrase before suppressing it, the defenses of ICP against steal/hack are those of Apple, etc. So, the only solution for now is not connected the internet Identity to any devices, except Yubikey and ledger, so we can’t use ICP on the phone. Consequence, I never go district and will never use dapp optimized for phone use.

Believe me, @zire, i am not alone.

First of all, THANKS to @zire and @PaulLiu , WITH their help I know for sure that my account was stolen. Most likely, someone around me had access to one of my two Yubikeys, and then modified the mnemonic and deleted my two Yubikeys.At present, I think the biggest reason for this is of course our improper custody. Secondly, I think it is also questionable that the mnemonic can be changed, because almost no mnemonic can be changed in other cryptocurrencies.The good thing is that the ICP in my account has been pledged for 8 years.That gave me time to retrieve my account.

At present, no one has met the same situation as me, so I don’t know how to retrieve the stolen account. Now my only hope is to initiate the proposal. Now I am preparing to initiate the proposal, and I would like to ask you to vote for me no matter for or against.I also hope that my experience can serve as a reference for future generations, and of course I hope that no one will ever lose their account.It was a very unfortunate experience.

Based on publicly disclosed information that you have shared, there are a couple of additional hypothesis that I have.

A. If you took a picture of your seed phrase on your phone, that picture might be somehow compromised.

B. The second hypothesis is MERELY A CONJECTURE AT THIS POINT. This thread(Frontend security) discusses how agentjs is storing information in local storage and how xss extension hacks are able to access this information to call canister methods. I HAVE NOT VERIFIED THAT THIS IMPLEMENTATION IS ACTUALLY MANIFEST IN THE INTERNET IDENTITY APP.

The mnemonic was taken with a professional camera not a cell phone, the mnemonic was not stolen, the mnemonic was replaced with a Yubikey, and then the new mnemonic was used to delete the two Yubikeys

Thanks for clarifying on how the picture was taken.

On your second point, currently you can have two recovery mechanisms; mnemonic AND a yubi key. Perhaps the attacker got a hold of the account and then added additional yubikey as recovery.