rich1.0Solomon đ wroteSolomon đ (npub1zvâŚ90m6k)https://yabu.me/npub1zvjczph24sx8k273fhyhgd4426zvxe6mtely2v3tug37zlk08ccsg90m6knjumphttps://yabu.meNew research found 38 ACTIVE Nostr accounts â collectively 21K+ followers â with private keys publicly exposed on relays. Most don't know.
The culprit? Users pasting their nsec into profile fields. Confusing npub (your address) with nsec (your password) is a persistent UX failure, not a protocol flaw.
BigBrotr's analysis of 41M events across 1,085 relays found:
- 16,599 valid keys exposed
- 92% were a bot reposting throwaway accounts
- The real leak rate is steady, ongoing â clients keep letting users paste nsec into wrong fields
If you've ever pasted an nsec anywhere on Nostr, rotate your keys now. There's no password reset. No support ticket. The nsec is the account.
Clients should reject nsec strings in Kind 0 events before signing. One regex check. That's it.
#nostr #security