Warning: lemmy.world just got hacked

darrsil@beehaw.org to Beehaw Support@beehaw.org – 171 points –

I would be cautious about viewing any Lemmy.world communities right now, and the Beehaw admins should make sure their credentials are locked down in case they get targeted next.

53

You are viewing a single comment

If done via hacked admin credentials, this is a great advertisement for enabling 2FA anywhere it's supported. AIUI Lemmy is also getting support for this for user accounts soon (https://github.com/LemmyNet/lemmy/issues/2363)

Oh wait, so 2FA doesn't fully work yet? I guess that explains why I've been having such a hard time trying to get it set up.

It works, but it's half-assed. The way Lemmy sets it up only works on a portion of authenticators, and ones like Authy isn't one of them. Then it also doesn't have a confirmation before enabling it, so you may think it's working but then get locked out of your account when you can't log in next time around.

The best way to test it is to enable 2FA and set up the code, but keep your Lemmy settings open. Then open an incognito window and see if you can log in using the 2FA code. If you can't, go back to the settings window and disable 2FA.