Lemmy.world is compromised

TruckBC, 10 months ago (edited 10 months ago)

Out of precaution we will defederate from lemmy.world until this is resolved.

Edit: Lemmy.world has resolved the issue

hawkwind, 10 months ago

It’s unresolved.

Roggie, 10 months ago

It is once again comprised

durablenapkin, 10 months ago

I appreciate the proactivity/precaution!

dampfnudel, 10 months ago (edited 10 months ago)

This seems unnecessary. The other Admins already removed the offending account as an admin.

Although requiring 2FA, for all admins on your instance seems appropriate. 

Edit: The instance is completely down after they briefly reinstated the compromised Admin’s account.

Please disregard my earlier comment. It’s a clown-show over there at lemmy.world right now.

TruckBC, 10 months ago

Thank you for the heads up that it’s fixed.

TruckBC, 10 months ago

Although requiring 2FA, for all admins on your instance seems appropriate.

To my knowledge we all have 2FA enabled. Will confirm.

remotedev, 10 months ago

Have they resolved it? I can’t comment there, or is that from this instance defederating from them? I don’t have my lemmy.world account on this app

TruckBC, 10 months ago

We believe they have resolved it but we will remain defederated overnight.

AnonymousLlama, 10 months ago

Lemonparty! Now that's a name I haven't heard in ages 🍋🍋🍋👴

sykccc, 10 months ago

Looks like it’s gonna be a bit really put a lid on this, but I guess another sign why this is a good system?

Tugboater203, 10 months ago

It's still compromised, right now it's showing text that says site seized by reddit for copyright infringement. Lol. Jerboa is just showing Lemmy World heads

Vampiric_Luma, 10 months ago

*infringment

Anon819450514, 10 months ago

The page redirects is named Israel and it redirects to blank page with “This site was seized by Reddit for copyright infringement”. So no, they don’t have control yet.

PenguinTD, 10 months ago

Is there a way to not do email verification but still using 2FA? That way, even if a user’s account is somehow phished/compromised, it won’t compromise their other accounts.

elscallr, 10 months ago

Absolutely you can do no phone/email and MFA. It's a TOTP thing like Google or Microsoft authenticator. The service doing the authentication has no idea how it's done on the other side, it just makes sure the codes match.

TruckBC, 10 months ago

I just successfully set up 2FA for an account on another instance that doesn’t have a verified email without any issues, so there’s no need to have done email verification to use 2FA.

hawkwind, 10 months ago

Guys, the new Israel lemmy instance has a lot of content I like, but some images I don’t agree with. should we defederate?

elscallr, 10 months ago

I don't think you realize what happened. The entire instance got fucked, it wasn't just some posts someone didn't like.

hawkwind, 10 months ago

I was trying to by funny. :(

mintiefresh, 10 months ago

Yeah… I caught all that. Glad to see that they fixed it already though. Rough day for Rudd.

ihavenopeopleskills, 10 months ago

Thanks for the heads-up. Password changed.

bioemerl, 10 months ago

And this is why you use a password manager whenever you make new accounts on the internet.

If you had an account on the Lemmy.world website you need to change your password.

V699, 10 months ago

I logged on and was like wtf because the site still works. Thought my phone was hacked heh

takina_soldpairtm, 10 months ago

Man, after all that commenting and stuff I did... :(

FARTYSHARTBLAST, 10 months ago

Bummer.

solarzones, 10 months ago

I am glad I’m on programming.dev for lemmy, but this could’ve happened to anyone. Hope nothing catastrophic happens

Izzy, 10 months ago

I was about to make a thread. Quite the bummer.