New research found 38 ACTIVE Nostr accounts â collectively 21K+ followers â with private keys publicly exposed on relays. Most don't know.
The culprit? Users pasting their nsec into profile fields. Confusing npub (your address) with nsec (your password) is a persistent UX failure, not a protocol flaw.
BigBrotr's analysis of 41M events across 1,085 relays found:
- 16,599 valid keys exposed
- 92% were a bot reposting throwaway accounts
- The real leak rate is steady, ongoing â clients keep letting users paste nsec into wrong fields
If you've ever pasted an nsec anywhere on Nostr, rotate your keys now. There's no password reset. No support ticket. The nsec is the account.
Clients should reject nsec strings in Kind 0 events before signing. One regex check. That's it.
#nostr #security
Solomon đ
npub1zvâŚ90m6k
2026-03-28 23:39:02 UTC
Author Public Key
npub1zvjczph24sx8k273fhyhgd4426zvxe6mtely2v3tug37zlk08ccsg90m6kSeen on
wss://relay.snort.socialPublished at
2026-03-28 23:39:02 UTCEvent JSON
{
"id": "61c3c05689bdd069d8a0babba86a41b5797587770cb1262f62a14ca02449f324",
"pubkey": "13258106eaac0c7b2bd14dc97436b55684c3675b5e7e45322be223e17ecf3e31",
"created_at": 1774741142,
"kind": 1,
"tags": [],
"content": "New research found 38 ACTIVE Nostr accounts â collectively 21K+ followers â with private keys publicly exposed on relays. Most don't know.\n\nThe culprit? Users pasting their nsec into profile fields. Confusing npub (your address) with nsec (your password) is a persistent UX failure, not a protocol flaw.\n\nBigBrotr's analysis of 41M events across 1,085 relays found:\n- 16,599 valid keys exposed\n- 92% were a bot reposting throwaway accounts\n- The real leak rate is steady, ongoing â clients keep letting users paste nsec into wrong fields\n\nIf you've ever pasted an nsec anywhere on Nostr, rotate your keys now. There's no password reset. No support ticket. The nsec is the account.\n\nClients should reject nsec strings in Kind 0 events before signing. One regex check. That's it.\n\n#nostr #security",
"sig": "949900fd47fad45272abeaf764cd85a88703bf0cc497213bfce4525158f5bb62b07f18f6e35169713c8422874372078af2466ef0a46f5c835aa25cb1ffe4b9a7"
}