this post was submitted on 10 Jul 2023
483 points (99.2% liked)

Fediverse

17776 readers
38 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 5 years ago
MODERATORS
 

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 78 points 1 year ago (4 children)

One of the admin accounts appears to have been compromised. The owner/other admins appear to be aware now because that account had its admin access revoked and offending posts are being removed.

Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

[–] [email protected] 33 points 1 year ago (1 children)

I wouldn't assume reasons why or that it's fixed until that consensus has been more widely reached.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

More time will definitely be needed. I'm glad they caught it and acted quickly enough to prevent more vandalism from occurring, but until we know how the account was compromised and what else they may have gotten in the process, it's still a situation to keep an eye on.

[–] [email protected] 3 points 1 year ago (1 children)

They are still acting on it, seems.

[–] [email protected] 3 points 1 year ago

Yep, it's definitely not over.

[–] [email protected] 18 points 1 year ago (3 children)

Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it....

[–] [email protected] 13 points 1 year ago* (last edited 1 year ago) (1 children)

It’s buggy and missing some key checks to make sure it’s working when you set it up.

Real risk of locking yourself out of your account.

[–] [email protected] 4 points 1 year ago (1 children)

oh, really? maybe i'll turn mine off then.....Thanks for the heads up!

[–] [email protected] 7 points 1 year ago (1 children)

Mostly a risk on initial setup.

I’ve been waiting a bit for it to stabilize and just using huge random passwords

[–] [email protected] 5 points 1 year ago (2 children)

If you're using a password manager you'd be doing this for every site and without even having to think about it. Bitwarden is a great choice.

[–] [email protected] 5 points 1 year ago (3 children)

I like KeePass. Bitwarden currently has an nginx exposure in the Dockerfile published in their git repo (may have been fixed since a couple of days ago). That said, I used Bitwarden for many years and switched out of an abundance of paranoia, and am definitively not recommending against it. Just basically use one of the following:

  • Bitwarden
  • KeePass
  • 1password

And stay far the fuck away from LastPass

[–] [email protected] 2 points 1 year ago (2 children)

my uni is currently still recommending lastpass as of now, tho I’ve heard they might be looking for alternatives …

[–] [email protected] 3 points 1 year ago (1 children)

LastPass has had a few security incidents lately. I do not trust them at all.

[–] [email protected] 1 points 1 year ago

This was not the first and it won't be the last. They've had issues going as far back as 2015. Don't keep your credentials with a paid platform. Use something you can fully audit and control yourself like Bitwarden or KeePass

[–] [email protected] 1 points 1 year ago

Let your classmates know that last pass has semi permanently damaged their trustworthiness by trying to hide a security breach, and then downplaying the severity of the breach, and that your University's security recommendations are intrinsically suspect as a result

[–] [email protected] 1 points 1 year ago
[–] [email protected] 1 points 1 year ago

I don't know that 1password should be on that list. The first two are free and open source. The last one is paid and proprietary.

Don't put your credentials in the hand of a company that requires you to trust them to not fuck up. Everyone thought LastPass was great until they weren't

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Oh I do. Used Bitwarden for many years.

I actually use keepass for totp codes too.

[–] [email protected] 3 points 1 year ago

Also I believe this was achieved through cookie stealing, which 2FA would not have helped

[–] [email protected] 1 points 1 year ago

Too bad it doesn't work with several 2FA apps and right now....

[–] [email protected] 8 points 1 year ago

Thanks for the context

[–] [email protected] 6 points 1 year ago

They really need to improve their 2fa implementation