With Steem and steemit code being open source we have seen a number of sites bases on Steem and Steemit launching.
New ones are launching at regular intervals.
STEEM users are familiar with the model and are, somewhat understandably, eager to get in on the ground floor hoping for lightning to strike twice.
That, however is not necessarily the best choice.
Bad actors can just as easily set themselves up with a STEEM/steemit clone in a matter of days or weeks and get up to all kinds of antics.
For instance, not many users were around when the infamous steemit "Hack" happened.
Steemit nor the STEEM protocol was actually hacked but a hacker found a loophole to bypass some of the seemit.com site security features. This enabled the hacker to upload images with malicious JavaScript, which forwarded keys stored in the browser, to the hacker.
Long story short, over 200 accounts were compromised, in a matter of hours, simply by opening one of the posts that had one of these malicious images, in one of the comments, on that page.
As a result we now have the account recovery feature implemented on the STEEM blockchain.
Right now, we are currently witnessing the meltdown of one of the newest STEEM/steemit clones.
Already it appears that keys are compromised. So far these are just bearshares keys... but what is to stop a bad actor from creating a clone, luring steemit users over to it and then having malicious key stealing code embedded somewhere in the site that steals stored keys?
STEEM users should be very aware of what sites they visit on the same device that they log in to steemit with and should be using their posting keys in most instances.