A testing account connected to Singapore-based EOS block producer EOSIO.SG was hacked, according to a Medium post published by the block producer on November 14.
According to EOSIO.SG, on November 3 of this year, one of the block producer's testing accounts (account sym111111add) was hacked by an unknown person or persons, and on November 12 that account was used to siphon HVT and ZKS tokens associated with AirDropsDAC, which provides airdrops as a service to Dapp developers in the EOS ecosystem. The hacker(s) exchanged a portion of the HVT tokens on Newdex for 2514 EOS and transferred the resulting EOS into several accounts.
When conducting its own investigation into the hack, EOSIO.SG purportedly found that the testing account was created by mistake on November 3 of this year by a "programmer using a script originally used on Testnet." Apparently, the public and private keys for that address were publicly listed on a Github code repository and "stolen" within six hours.
EOSIO.SG has compiled a list of accounts linked to the stolen keys and is conducting further research before the company releases more details. The block producer intends to upgrade internal management guidelines to make sure these guidelines fulfill cybersecurity requirements.
As part of the ongoing investigation and subsequent improvement efforts, EOSIO.SG is hosting a formal Q&A session to address questions from the general public. Details and how to submit questions can be found in the linked medium post.
EOSIO.SG ends the article apologetically, saying:
"We deeply regret that our oversight has resulted in one of our accounts to be compromised and subsequently used in an inappropriate manner. We will take a lot away from this incident and the frustration it has caused the AirdropsDAC team and the wider EOS community."