FYI!!! In case you start getting re-directed to porn sites.
Maybe the admin got hacked?
edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.
Post discussing the point of vulnerability: https://lemmy.ml/post/1896249
Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895
Yep, same. It was also the most likely scenario.
It looks like it was an individual admin getting hacked. Not good but not the worst. Most fallout will probably be whether their security practices were sufficient for an admin and whether lemmy has good enough contingencies for this sort of thing. Lemmy’s 2FA is probably a hot issue now though.
The JWT are likely a hot issue, already some Issues on GitHub about them not being revoked properly.
Oh man, that would be brutal if they are resetting the password and it isn’t kicking the attacker out…
JWT issue opened 4 days ago: https://github.com/LemmyNet/lemmy/issues/3499
Yeah, I’ve been scared to turn on 2FA with all the reports of people being locked out:
Yeah, the Lemmy 2FA implementation sucks. It only works in certain authenticators - Authy not being one of them. Google Authenticator does work and apparently so does the iOS keychain (but can’t confirm that one).
Best way to do it is to enable it and set it up but keep the settings window open, then open a separate incognito window and try to log in. If your 2FA code doesn’t work, go back to the other settings window and disable it.
