• Stovetop@lemmy.mlEnglish
    6·
    1 year ago

    One of the admin accounts appears to have been compromised. The owner/other admins appear to be aware now because that account had its admin access revoked and offending posts are being removed.

    Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

    • eerongal@ttrpg.networkEnglish
      2·
      1 year ago

      Definitely opens up a big question about the security of Lemmy instances that I am sure will be discussed over the next few days.

      They added 2FA login to lemmy in one of the newer updates. Probably pretty pertinent for any admins to use it…

      • bdonvr@thelemmy.clubEnglish
        3·
        1 year ago

        Also I believe this was achieved through cookie stealing, which 2FA would not have helped

      • ebits21@lemmy.caEnglish
        3·
        1 year ago

        It’s buggy and missing some key checks to make sure it’s working when you set it up.

        Real risk of locking yourself out of your account.

          • ebits21@lemmy.caEnglish
            1·
            1 year ago

            Mostly a risk on initial setup.

            I’ve been waiting a bit for it to stabilize and just using huge random passwords

            • Zetaphor@zemmy.ccEnglish
              1·
              1 year ago

              If you’re using a password manager you’d be doing this for every site and without even having to think about it. Bitwarden is a great choice.

              • ebits21@lemmy.caEnglish
                1·
                1 year ago

                Oh I do. Used Bitwarden for many years.

                I actually use keepass for totp codes too.

              • The Cuuuuube@beehaw.orgEnglish
                0·
                1 year ago

                I like KeePass. Bitwarden currently has an nginx exposure in the Dockerfile published in their git repo (may have been fixed since a couple of days ago). That said, I used Bitwarden for many years and switched out of an abundance of paranoia, and am definitively not recommending against it. Just basically use one of the following:

                • Bitwarden
                • KeePass
                • 1password

                And stay far the fuck away from LastPass

                • delollipop@beehaw.orgEnglish
                  0·
                  1 year ago

                  my uni is currently still recommending lastpass as of now, tho I’ve heard they might be looking for alternatives …

                  • The Cuuuuube@beehaw.orgEnglish
                    1·
                    1 year ago

                    Let your classmates know that last pass has semi permanently damaged their trustworthiness by trying to hide a security breach, and then downplaying the severity of the breach, and that your University’s security recommendations are intrinsically suspect as a result