this post was submitted on 10 Jul 2023
247 points (100.0% liked)
Fediverse
757 readers
1 users here now
A community dedicated to fediverse news and discussion.
Fediverse is a portmanteau of "federation" and "universe".
Getting started on Fediverse;
- What is the fediverse?
- Fediverse Platforms
- How to run your own community
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
One of the admin accounts appears to have been compromised. The owner/other admins appear to be aware now because that account had its admin access revoked and offending posts are being removed.
Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.
I wouldn't assume reasons why or that it's fixed until that consensus has been more widely reached.
More time will definitely be needed. I'm glad they caught it and acted quickly enough to prevent more vandalism from occurring, but until we know how the account was compromised and what else they may have gotten in the process, it's still a situation to keep an eye on.
They are still acting on it, seems.
Yep, it's definitely not over.
They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it....
It’s buggy and missing some key checks to make sure it’s working when you set it up.
Real risk of locking yourself out of your account.
oh, really? maybe i'll turn mine off then.....Thanks for the heads up!
Mostly a risk on initial setup.
I’ve been waiting a bit for it to stabilize and just using huge random passwords
If you're using a password manager you'd be doing this for every site and without even having to think about it. Bitwarden is a great choice.
I like KeePass. Bitwarden currently has an nginx exposure in the Dockerfile published in their git repo (may have been fixed since a couple of days ago). That said, I used Bitwarden for many years and switched out of an abundance of paranoia, and am definitively not recommending against it. Just basically use one of the following:
And stay far the fuck away from LastPass
my uni is currently still recommending lastpass as of now, tho I’ve heard they might be looking for alternatives …
Let your classmates know that last pass has semi permanently damaged their trustworthiness by trying to hide a security breach, and then downplaying the severity of the breach, and that your University's security recommendations are intrinsically suspect as a result
Thanks for the context
They really need to improve their 2fa implementation