• bigben111@lemmy.ml
    link
    fedilink
    English
    arrow-up
    60
    arrow-down
    1
    ·
    1 year ago

    How did it happen and what does this mean for me as a user of lemmy.ml who also follows people on lemmy.world?

    • Stovetop@lemmy.ml
      link
      fedilink
      English
      arrow-up
      75
      arrow-down
      1
      ·
      1 year ago

      One of the admin accounts appears to have been compromised. The owner/other admins appear to be aware now because that account had its admin access revoked and offending posts are being removed.

      Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

        • Stovetop@lemmy.ml
          link
          fedilink
          English
          arrow-up
          6
          ·
          edit-2
          1 year ago

          More time will definitely be needed. I’m glad they caught it and acted quickly enough to prevent more vandalism from occurring, but until we know how the account was compromised and what else they may have gotten in the process, it’s still a situation to keep an eye on.

      • eerongal@ttrpg.network
        link
        fedilink
        English
        arrow-up
        17
        ·
        1 year ago

        Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

        They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it…

        • ebits21@lemmy.ca
          link
          fedilink
          English
          arrow-up
          10
          ·
          edit-2
          1 year ago

          It’s buggy and missing some key checks to make sure it’s working when you set it up.

          Real risk of locking yourself out of your account.

            • ebits21@lemmy.ca
              link
              fedilink
              English
              arrow-up
              5
              ·
              1 year ago

              Mostly a risk on initial setup.

              I’ve been waiting a bit for it to stabilize and just using huge random passwords

              • Zetaphor@zemmy.cc
                link
                fedilink
                English
                arrow-up
                4
                ·
                1 year ago

                If you’re using a password manager you’d be doing this for every site and without even having to think about it. Bitwarden is a great choice.

                • ebits21@lemmy.ca
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  Oh I do. Used Bitwarden for many years.

                  I actually use keepass for totp codes too.

        • bdonvr@thelemmy.club
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Also I believe this was achieved through cookie stealing, which 2FA would not have helped

    • Max-P@lemmy.max-p.me
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      1
      ·
      1 year ago

      Not a whole lot - you might see some spam being federated from lemmy.world but I’d expect the lemmy.ml and lemmy.world admins will fix it, and them clean it up.

      That’s probably good stress test to figure out how to handle that.