• maegul (he/they)@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Yep, same. It was also the most likely scenario.

    It looks like it was an individual admin getting hacked. Not good but not the worst. Most fallout will probably be whether their security practices were sufficient for an admin and whether lemmy has good enough contingencies for this sort of thing. Lemmy’s 2FA is probably a hot issue now though.

    • RoundSparrow@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      The JWT are likely a hot issue, already some Issues on GitHub about them not being revoked properly.

      • CMahaff@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Oh man, that would be brutal if they are resetting the password and it isn’t kicking the attacker out…

        • Max-P@lemmy.max-p.me
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          That’s probably what happened here because they did revoke the admin’s access, but it continued.

    • Rentlar@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      OK good to know that the server itself is unlikely to be compromised. I’ll be changing passwords to all my accounts once this blows over.

      • darrsil@beehaw.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Yeah, the Lemmy 2FA implementation sucks. It only works in certain authenticators - Authy not being one of them. Google Authenticator does work and apparently so does the iOS keychain (but can’t confirm that one).

        Best way to do it is to enable it and set it up but keep the settings window open, then open a separate incognito window and try to log in. If your 2FA code doesn’t work, go back to the other settings window and disable it.

    • G59@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      The hacked MichelleG account actually commented that it did not have MFA enabled lol. This was on the lemmy.world shitpost community, on one of the posts making memes about the situation. Hilarious that the hacker decided to share that.