this post was submitted on 10 Jul 2023
173 points (98.9% liked)

Fediverse

17671 readers
76 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 4 years ago
MODERATORS
[email protected]
[email protected]
173
PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) (lemmy.ml)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
160 comments fedilink hide all child comments
 

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?

edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 1 year ago (3 children)

One of the admin accounts appears to have been compromised. The owner/other admins appear to be aware now because that account had its admin access revoked and offending posts are being removed.

Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

[–] [email protected] 2 points 1 year ago (3 children)

Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it....

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

It’s buggy and missing some key checks to make sure it’s working when you set it up.

Real risk of locking yourself out of your account.

[–] [email protected] 0 points 1 year ago (1 children)

oh, really? maybe i'll turn mine off then.....Thanks for the heads up!

[–] [email protected] 1 points 1 year ago (1 children)

Mostly a risk on initial setup.

I’ve been waiting a bit for it to stabilize and just using huge random passwords

[–] [email protected] 1 points 1 year ago (1 children)

If you're using a password manager you'd be doing this for every site and without even having to think about it. Bitwarden is a great choice.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Oh I do. Used Bitwarden for many years.

I actually use keepass for totp codes too.

[–] [email protected] 3 points 1 year ago

Also I believe this was achieved through cookie stealing, which 2FA would not have helped

[–] [email protected] 1 points 1 year ago

Too bad it doesn't work with several 2FA apps and right now....

[–] [email protected] 2 points 1 year ago

I wouldn't assume reasons why or that it's fixed until that consensus has been more widely reached.

[–] [email protected] 1 points 1 year ago

They really need to improve their 2fa implementation