- how did this happen
- what steps are being taken to ensure it doesn't happen again
- was any personal data compromised for users?
this post was submitted on 10 Jul 2023
118 points (93.4% liked)
Lemmy.World Announcements
28964 readers
6 users here now
This Community is intended for posts about the Lemmy.world server by the admins.
Follow us for server news π
Outages π₯
https://status.lemmy.world
For support with issues at Lemmy.world, go to the Lemmy.world Support community.
Support e-mail
Any support requests are best sent to [email protected] e-mail.
Report contact
- DM https://lemmy.world/u/lwreport
- Email [email protected] (PGP Supported)
Donations π
If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.
If you can, please use / switch to Ko-Fi, it has the lowest fees for us
Join the team
founded 1 year ago
MODERATORS
don't turn into reddit admins now, please answer this lol
Give them some time to investigate maybe?
Here's what I think happened: https://lemmy.world/comment/1059957
Basically it's Javascript that was injected in the main sidebar. That means that Lemmy doesn't escape HTML in the main sidebar (what about community sidebars?) and that Lemmy devs need to prioritize a security audit of the whole code base right now, I did this kind of shit when I was a kid and it's just insane that Lemmy has this vulnerability, this was not some sophisticated hack.
What it also means is that it's very unlikely that any personal data was compromised.
load more comments
(7 replies)
Hope you got that energy for the rest of Lemmy instances because they're all the same
Aviate, navigate, comunΓcate... Give them time to solve the issue.
load more comments
(3 replies)
The problem has been corrected.
No it hasn't. The main page still redirects to a picture of a guy with a cigar with the caption "Just raped a kid in the woods."
I came here to post this
Try clearing cache on your browser.
I did. It didn't help.
load more comments
(3 replies)
Under GDPR if you have had a data breach you have a legal obligation to assess whether you need to report it and you must make the report within 72 hours of discovering the breach.
There are other types of reportable breaches too, I only mention data as it sounds most likely. You may or may not be subject to PECR which may also have been breached although less likely. I don't really have enough familiarity with the regulation to discuss that one.
If you are not sure if there has been a breach you may also need to discuss it with the relevant body or make a report.
Please can you update what action you have taken regarding this and if the incident was reportable or not and the reasons why.
It would be good to know if you had 2FA enabled on the compromised account particularly as it had admin privileges and if so how 2FA was circumvented.
It would also be good to know what measures you have in place to prevent the same or other malicious attempts on your Open Collective and Patreon accounts as issues with those are potentially more serious.
Under GDPR if you have had a data breach you have a legal obligation to assess whether you need to report it and you must make the report within 72 hours of discovering the breach.
As an aside, this is why it's no longer possible in 2023 to host a social site as a hobby. Of course GDPR is good, I'm glad it exists, but as an individual, it's not the kind of responsibility I want for my hobby.
I think the difference between a hobby site and a large social media/ conversation platform is a site for your personal use without a comment section etc likely isn't covered, whereas a site handling users personal data and transferring data between jurisdictions is.
I absolutely agree there is no way I would want to navigate GDPR and other regulations as an individual and therefore no way I would host a Lemmy instance! It's a big and complex undertaking, where basic compliance isn't too difficult but dealing with any issues that you or someone else causes that impact you is a nightmare.
load more comments
(5 replies)
The problem has been corrected.
The problem has not been corrected.
FYI: There is a bug in Lemmy right now where this post will not replicate to peer instances. Because you are only an "admin" of this community and postings are restricted to mods/admins, and other servers won't recognize you as an admin. You can make yourself a mod, but the posting already likely is in retry state. GitHub: https://github.com/LemmyNet/lemmy/issues/3571
Iβd just like to say that even with an admin account being compromised (get your shit together @MichelleG (mostly kidding but 2FA fr :P )), lemmy.world still worked well with third party apps, and most importantly: the majority of the fediverse was unimpacted!
load more comments
(1 replies)
It WAS fixed but it's back again, was another account compromised?
Confirmed, the defaced content is now back.
Looks like it's MichelleG again, either the hacker was able to reinstate the account or lemmy.world did and it was instantly compromised again.
Should this still be the case:
Not only that, but lemmy.ml has been defederated, and all of the other instances that were previously defederated have had federation restored.
Yup. Just saw that as well.
load more comments
(2 replies)
There's still issues going on, sending a message results in the same redirect, and the instance icon has been changed again as well as the instance name.
EDIT: Redirect is back as well.
EDIT2: Attack is still ongoing
load more comments
(4 replies)
Site is still under attack lol
They got in again. Site image is different than before (earlier hack it was trump, now it's that image of the woods guy), sidebar image is also the woods guy now (idr what it was earlier in the hack but something else), and instead of redirecting to lemon party, it now says "Site has been seized by Reddit for copyright infringment". Also they spelled infringement wrong.
Still happens in incognito mode and with cleared cache, or even a different browser. This is server side.
It is still redirecting for me. and the site is still messed up. so no the problem hasn't been corrected fully.
Opened incognito mode. lemmy.world is still issuing a redirect to: (https://lemmy.world/pictrs/image/7aa772b7-9416-45d1-805b-36ec21be9f66.mp4)
load more comments
(13 replies)
make fake posts
Such as this one. Do not follow any advice from @MichelleG at this time. It is highly likely the original user of the account has not fully regained control.
This user made a terse "status update" post to /m/random on kbin right after this one (with a post language of Afrikaans??), which makes no sense at all. Do not trust any status updates coming from this lemmy.world account.
load more comments
(1 replies)
Saw something about Reddit copyright and havenβt opened the site all day. Something is definitely wrong with main site.
Actually, yeah, checking https://lemmy.world/api/v3/site I still see modified data. Somethingβs definitely still broken
We seem to be back.
I now see this between ~~Lemmy.World~~ Israel and the Guy with the Cigar.
Anyone else seeing this?
load more comments
(1 replies)
Your legal page is a lemming
.
Edit - admins are aware. For now, hopefully Lemming J Crabbs attorney at law will do the necessary.
load more comments
(2 replies)
view more: next βΊ