348
PSA: Lemmy.world has been compromised! (lemmy.ml)
submitted 1 year ago* (last edited 1 year ago) by G59@lemmy.ml to c/fediverse@lemmy.ml
207 comments fedilink hide all child comments

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?

you are viewing a single comment's thread
view the rest of the comments
[-] bigben111@lemmy.ml 54 points 1 year ago

How did it happen and what does this mean for me as a user of lemmy.ml who also follows people on lemmy.world?

[-] Stovetop@lemmy.ml 69 points 1 year ago

One of the admin accounts appears to have been compromised. The owner/other admins appear to be aware now because that account had its admin access revoked and offending posts are being removed.

Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

[-] hawkwind@lemmy.management 26 points 1 year ago

I wouldn't assume reasons why or that it's fixed until that consensus has been more widely reached.

[-] Stovetop@lemmy.ml 4 points 1 year ago* (last edited 1 year ago)

More time will definitely be needed. I'm glad they caught it and acted quickly enough to prevent more vandalism from occurring, but until we know how the account was compromised and what else they may have gotten in the process, it's still a situation to keep an eye on.

[-] hawkwind@lemmy.management 2 points 1 year ago

They are still acting on it, seems.

[-] eerongal@ttrpg.network 16 points 1 year ago

Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it....

[-] ebits21@lemmy.ca 10 points 1 year ago* (last edited 1 year ago)

It’s buggy and missing some key checks to make sure it’s working when you set it up.

Real risk of locking yourself out of your account.

[-] eerongal@ttrpg.network 3 points 1 year ago

oh, really? maybe i'll turn mine off then.....Thanks for the heads up!

[-] ebits21@lemmy.ca 6 points 1 year ago

Mostly a risk on initial setup.

I’ve been waiting a bit for it to stabilize and just using huge random passwords

[-] Zetaphor@zemmy.cc 4 points 1 year ago

If you're using a password manager you'd be doing this for every site and without even having to think about it. Bitwarden is a great choice.

[-] ebits21@lemmy.ca 1 points 1 year ago* (last edited 1 year ago)

Oh I do. Used Bitwarden for many years.

I actually use keepass for totp codes too.

[-] bdonvr@thelemmy.club 3 points 1 year ago

Also I believe this was achieved through cookie stealing, which 2FA would not have helped

[-] bdonvr@thelemmy.club 1 points 1 year ago

Too bad it doesn't work with several 2FA apps and right now....

[-] bigben111@lemmy.ml 7 points 1 year ago

Thanks for the context

[-] ebits21@lemmy.ca 5 points 1 year ago

They really need to improve their 2fa implementation

[-] Max_P@lemmy.max-p.me 22 points 1 year ago

Not a whole lot - you might see some spam being federated from lemmy.world but I'd expect the lemmy.ml and lemmy.world admins will fix it, and them clean it up.

That's probably good stress test to figure out how to handle that.

[-] bigben111@lemmy.ml 6 points 1 year ago

Thanks for the response very helpful.

this post was submitted on 10 Jul 2023
348 points (100.0% liked)

Fediverse

17625 readers
43 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 4 years ago
MODERATORS
deadsuperhero@lemmy.ml
wakest@lemmy.ml