Thanks for the transparency.

Thanks for your efforts. I know that Lemmy was put in place rather quickly as a Reddit alternative. But I'm genuinely hopeful that this will be a good alternative.

Does an admin account have any permissions to view email addresses or data of registered users?

Did MichelleG not have 2FA enabled?

Now that this has happened, it's be worth pushing this issue through as high priority. If HttpOnly was enabled, then an admin takeover would not have been possible.

https://github.com/LemmyNet/lemmy-ui/issues/1252

Ugh, people should not go after systems trying to give a free service to the internet. It just ruins everything.

Great lemmies! Thanks for uniting us.

How do we know you're the real you? This all could be part of the plan!

That shit sucks, I'm so sorry. I'm glad you got it under control. Nothing but admiration from me for doing all this hard work.

New code, new challenges. It's a new world out there and largely is pretty great. Thanks again.

Yah, I noticed my Lemmies auto-corrupted to Lemurs.

I don't care. I'm keeping it.

Lemurs are cute.

Soo it looks like the entry for this instance was also changed on https://lemmyverse.net/ . At least I hope it is the hack

I can only log in on incognito mode, which makes me think my cookie has been stolen or whatever. So my question is, what should I be doing about that?

Once again, thank you guys for all that you do. As many other people are saying, appreciate the transparency about these things.

Pardon the ignorance, but how do I know if I was compromised? what do?

Thanks for the great work. The response time was awesome, considering you were asleep as well.

One thing I don't get. Custom emojis can only be created by an admin, but you're saying an admin's account here got compromised because of that and not the other way around. Does that mean that an evil instance set a custom emoji with the injected JavaScript and propagated it to the federated instances?

I can't log into my account anymore, this one is a new one I've just made. I tried to reset my password but nothing came in the mailbox. I can still see comments and posts from that account though.

It's this one:

And I don't know why but I can't save the profile pic for this account.

Edit: Nvm, I use another email to sign up for Lemmy and forgot about it

Amazing how you quickly reacted to this!! Bravo!!

TIP: if you can't login after what happened, clear out your browser cache including ALL cookies, that fixes it (it did for me at least). I believe it's also advisable to change lemmy password.

I had to create a new account. I tried enabling 2FA on my main account a week ago, but was never able to generate a token. Now when I try logging in it is asking for my 2FA token. Is there any way to get my account back. I'm a moderator of a community.

This is why I've decided against running my own Lemmy instance. Too much work to have to keep up constantly with updating, too big of an attractive target for attackers.

Thanks for the transparency. Was having issues with Lemmy, now seems everything back to normal. Got a question, Just to add an extra layer of security, Do i need to use ToR or VPN with Lemmy ?

As someone in EU I didn't even realized there was an issue. Well done and great reaction time! Also thank you for the transparency 👑

Rock on, Rudd.