• Stovetop
    link
    fedilink
    English
    771 year ago

    One of the admin accounts appears to have been compromised. The owner/other admins appear to be aware now because that account had its admin access revoked and offending posts are being removed.

    Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

      • Stovetop
        link
        fedilink
        English
        7
        edit-2
        1 year ago

        More time will definitely be needed. I’m glad they caught it and acted quickly enough to prevent more vandalism from occurring, but until we know how the account was compromised and what else they may have gotten in the process, it’s still a situation to keep an eye on.

    • @eerongal@ttrpg.network
      link
      fedilink
      English
      181 year ago

      Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

      They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it…

      • @ebits21@lemmy.ca
        link
        fedilink
        English
        11
        edit-2
        1 year ago

        It’s buggy and missing some key checks to make sure it’s working when you set it up.

        Real risk of locking yourself out of your account.

          • @ebits21@lemmy.ca
            link
            fedilink
            English
            61 year ago

            Mostly a risk on initial setup.

            I’ve been waiting a bit for it to stabilize and just using huge random passwords

            • @Zetaphor@zemmy.cc
              link
              fedilink
              English
              41 year ago

              If you’re using a password manager you’d be doing this for every site and without even having to think about it. Bitwarden is a great choice.

              • The Cuuuuube
                link
                fedilink
                English
                51 year ago

                I like KeePass. Bitwarden currently has an nginx exposure in the Dockerfile published in their git repo (may have been fixed since a couple of days ago). That said, I used Bitwarden for many years and switched out of an abundance of paranoia, and am definitively not recommending against it. Just basically use one of the following:

                • Bitwarden
                • KeePass
                • 1password

                And stay far the fuck away from LastPass

              • @ebits21@lemmy.ca
                link
                fedilink
                English
                1
                edit-2
                1 year ago

                Oh I do. Used Bitwarden for many years.

                I actually use keepass for totp codes too.