Lemmy.world Site Redirects and More Removed
We know an issue occurred on the site over an hour ago with someone using my account to redirect the site, make fake posts, and change other settings. The problem has been corrected.
We will continue to monitor the situation and keep you informed.
What personal data did you give Lemmy? Lol. And if you're going to question lemmy.world then head over to every other instance and take your stance there too.
I don't use other instances, I use lemmy.world. Questioning why and how a major instance got hacked isn't an outlandish line of questioning; I need to know whether this will continue to be a safe, reliable, and secure instance to use otherwise I and presumably others will go elsewhere. This was relatively minor in the grand scheme of things, so hopefully it'll be enough to prompt a fix for whatever caused it (seems like it was possibly insecure code not correctly sanitising HTML).
The problem has been corrected.
No it hasn't. The main page still redirects to a picture of a guy with a cigar with the caption "Just raped a kid in the woods."
Under GDPR if you have had a data breach you have a legal obligation to assess whether you need to report it and you must make the report within 72 hours of discovering the breach.
There are other types of reportable breaches too, I only mention data as it sounds most likely. You may or may not be subject to PECR which may also have been breached although less likely. I don't really have enough familiarity with the regulation to discuss that one.
If you are not sure if there has been a breach you may also need to discuss it with the relevant body or make a report.
Please can you update what action you have taken regarding this and if the incident was reportable or not and the reasons why.
It would be good to know if you had 2FA enabled on the compromised account particularly as it had admin privileges and if so how 2FA was circumvented.
It would also be good to know what measures you have in place to prevent the same or other malicious attempts on your Open Collective and Patreon accounts as issues with those are potentially more serious.
Under GDPR if you have had a data breach you have a legal obligation to assess whether you need to report it and you must make the report within 72 hours of discovering the breach.
As an aside, this is why it's no longer possible in 2023 to host a social site as a hobby. Of course GDPR is good, I'm glad it exists, but as an individual, it's not the kind of responsibility I want for my hobby.
I think the difference between a hobby site and a large social media/ conversation platform is a site for your personal use without a comment section etc likely isn't covered, whereas a site handling users personal data and transferring data between jurisdictions is.
I absolutely agree there is no way I would want to navigate GDPR and other regulations as an individual and therefore no way I would host a Lemmy instance! It's a big and complex undertaking, where basic compliance isn't too difficult but dealing with any issues that you or someone else causes that impact you is a nightmare.
Doesn't GDPR only apply to businesses with more than 250 employees? Now that I type this out, does it apply to non-commercial actions at all? Does lemmy.world have even 1 "employee"?
Edit: I really should get better at just googling the questions I have instead of asking a stranger to do it, haha.
Some parts of it don't apply to small businesses but it's mostly about record keeping, and it doesn't matter if you are non-commercial, you still must comply.
The problem has been corrected.
The problem has not been corrected.
FYI: There is a bug in Lemmy right now where this post will not replicate to peer instances. Because you are only an "admin" of this community and postings are restricted to mods/admins, and other servers won't recognize you as an admin. You can make yourself a mod, but the posting already likely is in retry state. GitHub: https://github.com/LemmyNet/lemmy/issues/3571
Iβd just like to say that even with an admin account being compromised (get your shit together @MichelleG (mostly kidding but 2FA fr :P )), lemmy.world still worked well with third party apps, and most importantly: the majority of the fediverse was unimpacted!
Since I only use desktop, I didn't bother to check mobile, thought it was redirecting too.
It WAS fixed but it's back again, was another account compromised?
Confirmed, the defaced content is now back.
Looks like it's MichelleG again, either the hacker was able to reinstate the account or lemmy.world did and it was instantly compromised again.
Should this still be the case:
Not only that, but lemmy.ml has been defederated, and all of the other instances that were previously defederated have had federation restored.
Yup. Just saw that as well.
I'm getting zero posts and comments out of Lemmy.world to my instance since this incident started.
Meta and Zuck sent their best security engineer and this is the best they could do? Shameful π
Site is still under attack lol
They got in again. Site image is different than before (earlier hack it was trump, now it's that image of the woods guy), sidebar image is also the woods guy now (idr what it was earlier in the hack but something else), and instead of redirecting to lemon party, it now says "Site has been seized by Reddit for copyright infringment". Also they spelled infringement wrong.
Still happens in incognito mode and with cleared cache, or even a different browser. This is server side.
Opened incognito mode. lemmy.world is still issuing a redirect to: (https://lemmy.world/pictrs/image/7aa772b7-9416-45d1-805b-36ec21be9f66.mp4)
Should I even click that link or is it a bad idea? Iβm kinda curious since I havenβt seen any of whatβs happening yet since I only use Memmy and it hasnβt been affected by this
I was concerned when I opened my browser and suddenly a few Lemmy tabs prompt me to download this same file multiple times... Saved it and placed the mp4 in a Vm, I need to sleep so I'll pass a look over it when I wake.
There's "Israel" under some unusual bloke with a cigar for the Lemmy world icon...
Edit: don't seem to be having any current issues, looks like people are discussing on Reddit about the situation already. Good luck and stay safe whilst I'm asleep!
make fake posts
Such as this one. Do not follow any advice from @MichelleG at this time. It is highly likely the original user of the account has not fully regained control.
It is still redirecting for me. and the site is still messed up. so no the problem hasn't been corrected fully.
Your legal page is a lemming
.Edit - admins are aware. For now, hopefully Lemming J Crabbs attorney at law will do the necessary.
I'm not sure what to make of that, but this might shine some light.
Thanks - see there is post from Admins now. Quick work!
I now see this between Lemmy.World Israel and the Guy with the Cigar.
Anyone else seeing this?
Yes. Hacker is still in.
We seem to be back.
Saw something about Reddit copyright and havenβt opened the site all day. Something is definitely wrong with main site.
Actually, yeah, checking https://lemmy.world/api/v3/site I still see modified data. Somethingβs definitely still broken
FYI - the issue is affecting other lemmy instances as well, including lemmy.blahaj.zone. Looks like the XSS vulnerability is platform wide.
I saw and the site is still under attack.
Considering that this was/is the account that was compromised, I think it would be more reassuring if it was one of the other admins confirming that the situation has been resolved. Right now we have no proof that this isn't the hacker lying to cover up their misdeeds.
Well, now we know why this post was worded so weirdly. It's pretty obvious when you read it that this does not sound like any official announcements.
One of my posts first had the photo removed, then when it was replaced, the entire post was deleted, right in the middle of the hack, figured i'd like you know
No longer getting the "reddit copyright" page on desktop, now it's just an error page :/
Did this only affect people using web browsers?
I was wondering if admins and mods are required to have 2fa turned on for their accounts? Shouldnβt it be?