this post was submitted on 10 Aug 2024

101 points (99.0% liked)

Lemmy.World Announcements

28905 readers

13 users here now

This Community is intended for posts about the Lemmy.world server by the admins.

Follow us for server news 🐘

Outages 🔥

https://status.lemmy.world

For support with issues at Lemmy.world, go to the Lemmy.world Support community.

Support e-mail

Any support requests are best sent to [email protected] e-mail.

Report contact

DM https://lemmy.world/u/lwreport
Email [email protected] (PGP Supported)

Donations 💗

If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.

If you can, please use / switch to Ko-Fi, it has the lowest fees for us

Join the team

founded 1 year ago

MODERATORS

101

[Restored] Accidental 2FA removal for LW users (self.lemmyworld)

submitted 1 month ago* (last edited 1 month ago) by lwadmin to c/lemmyworld

12 comments fedilink hide all child comments

Hello Lemmy.World users,

yesterday we had an incident where human error lead to accidental removal of 2FA for all Lemmy.World users.
Until the mistake had been corrected and the original state had been restored where possible, 2FA was not enforced for any logins, even if the user enabled 2FA prior to this.

Timeline (all times in UTC):

Approximately at 2024-08-09 09:30 MFA had been removed for all users due to a mistake when MFA was intended to be reset for an individual user.
Around 2024-08-09 22:10 we became aware of the issue due to a user reporting that they were no longer prompted for 2FA on login. We immediately started an investigation to determine the root cause for this and discovered the mistake that was done earlier. Once the root cause was identified we started working on restoring the original state.
At 2024-08-10 01:10:00 2FA had been reactivated for all users that previously had 2FA enabled and hadn't reactivated it on their own since. After additional investigation to identify affected users with 2FA that had logged in during this period, we have sent out individual messages with information about logins to their accounts during this period.

Although less than 2% of our active users have 2FA enabled, we are committed to keep our user accounts as secure as reasonably possible, and we will review our processes for resetting 2FA for individual users going forward to reduce the risk of this happening again in the future.
Fortunately our robust backup database backups allowed us to revert the exact state we had just before this change happened, allowing us to restore the original 2FA secrets for all affected users.
During this period, we have observed a total of 824 logins. 18 of these logins were done by 14 users who had 2FA disabled. Notifications to all affected users who we observed logins for during this period have been sent shortly after publishing this post.
2 users had reactivated their 2FA already on their own, so we have not reverted their 2FA to the previous state.

If you have any concerns that your account may have been compromised during this period due to the lack of 2FA enforcement feel free to reach out to us via email to [email protected] or via PM to @[email protected].

top 12 comments

sorted by: hot top controversial new old

[–] [email protected] 15 points 1 month ago (2 children)

Nice work.

2% with 2FA seems low. People need to get on the ball, but of course there are probably plenty of "bots" that don't bother with that.

[–] wjs018 14 points 1 month ago (2 children)

I am guessing a large portion of those might be inactive accounts as well. When the reddit exodus was at its peak, there were definite issues with the way 2FA worked in lemmy. I think it got reset at one point due to changes made in subsequent lemmy versions and users had to re-enable it.

[–] MrKaplan 11 points 1 month ago (1 children)

we were only counting users active in the last 6 months (based on lemmys active user stats) for this calculation. with the update to lemmy 0.19 back in march 2FA for all existing users was reset, so all users that had 2fa set up before and never reactivated it wouldn't count towards this, nor would users that weren't active at all since then.

[–] wjs018 2 points 1 month ago

Thanks for the clarification!

[–] baatliwala 3 points 1 month ago (1 children)

Yeah I'm still scared of switching on 2FA in case something goes wrong.

[–] renzev 2 points 1 month ago

I once ended up locked out of a bunch of accounts because my phone with the authenticator app died. Oof.

Nowadays I use a TOTP dongle instead of an app and write down all of the keys in a paper notebook. Never again!

[–] randomaccount43543 6 points 1 month ago

Personally I don’t care at all if someone steals my Lemmy account so I don’t bother with 2FA. I only enable 2FA for things that matter

[–] Tanoh 10 points 1 month ago (1 children)

Approximately at 2024-08-09 09:30 MFA had been removed for all users due to a mistake when MFA was intended to be reset for an individual user.

An UPDATE without a WHERE?

[–] MrKaplan 9 points 1 month ago

no, the join was bad

[–] subtext 6 points 1 month ago

Thank you for the transparency!

[–] ouch 3 points 1 month ago

What was the bad query statement?

[–] notaltaccountlol 1 points 1 month ago

2 users had reactivated their 2FA already on their own, so we have not reverted their 2FA to the previous state.

one of them are me! i thought i enabled it for another account when i saw it on my authenticator app, but i could login without 2fa lmao