FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

  • eerongal@ttrpg.network
    link
    fedilink
    English
    arrow-up
    13
    ·
    1 year ago

    Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

    They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it…

    • ebits21@lemmy.ca
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      1 year ago

      It’s buggy and missing some key checks to make sure it’s working when you set it up.

      Real risk of locking yourself out of your account.

        • ebits21@lemmy.ca
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          Mostly a risk on initial setup.

          I’ve been waiting a bit for it to stabilize and just using huge random passwords

          • Zetaphor@zemmy.cc
            link
            fedilink
            English
            arrow-up
            5
            ·
            1 year ago

            If you’re using a password manager you’d be doing this for every site and without even having to think about it. Bitwarden is a great choice.

            • The Cuuuuube@beehaw.org
              link
              fedilink
              English
              arrow-up
              5
              ·
              1 year ago

              I like KeePass. Bitwarden currently has an nginx exposure in the Dockerfile published in their git repo (may have been fixed since a couple of days ago). That said, I used Bitwarden for many years and switched out of an abundance of paranoia, and am definitively not recommending against it. Just basically use one of the following:

              • Bitwarden
              • KeePass
              • 1password

              And stay far the fuck away from LastPass

              • delollipop@beehaw.org
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                my uni is currently still recommending lastpass as of now, tho I’ve heard they might be looking for alternatives …

                • Boeman@lemmy.ml
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  1 year ago

                  LastPass has had a few security incidents lately. I do not trust them at all.

                • The Cuuuuube@beehaw.org
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Let your classmates know that last pass has semi permanently damaged their trustworthiness by trying to hide a security breach, and then downplaying the severity of the breach, and that your University’s security recommendations are intrinsically suspect as a result

              • Zetaphor@zemmy.cc
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                I don’t know that 1password should be on that list. The first two are free and open source. The last one is paid and proprietary.

                Don’t put your credentials in the hand of a company that requires you to trust them to not fuck up. Everyone thought LastPass was great until they weren’t

            • ebits21@lemmy.ca
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              Oh I do. Used Bitwarden for many years.

              I actually use keepass for totp codes too.

    • bdonvr@thelemmy.club
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Also I believe this was achieved through cookie stealing, which 2FA would not have helped