They been redirecting to lemon party and some weird video. Do not go to the website. This is the admin that been hacked:

EDIT: lemmy.blahaj.zone also compromised!

  • TruckBC
    shield
    MA
    link
    fedilink
    English
    arrow-up
    53
    ·
    edit-2
    1 year ago

    Out of precaution we will defederate from lemmy.world until this is resolved.

    Edit: Lemmy.world has resolved the issue

      • TruckBCMA
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        1 year ago

        Thank you for the heads up that it’s fixed.

      • TruckBCMA
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        Although requiring 2FA, for all admins on your instance seems appropriate.

        To my knowledge we all have 2FA enabled. Will confirm.

    • remotedev
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Have they resolved it? I can’t comment there, or is that from this instance defederating from them? I don’t have my lemmy.world account on this app

      • TruckBCMA
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        We believe they have resolved it but we will remain defederated overnight.

  • bioemerl@kbin.social
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    And this is why you use a password manager whenever you make new accounts on the internet.

    If you had an account on the Lemmy.world website you need to change your password.

  • Tugboater203@kbin.social
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    It’s still compromised, right now it’s showing text that says site seized by reddit for copyright infringement. Lol. Jerboa is just showing Lemmy World heads

  • Anon819450514
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    The page redirects is named Israel and it redirects to blank page with “This site was seized by Reddit for copyright infringement”. So no, they don’t have control yet.

  • solarzones@kbin.social
    link
    fedilink
    arrow-up
    7
    ·
    1 year ago

    I am glad I’m on programming.dev for lemmy, but this could’ve happened to anyone. Hope nothing catastrophic happens

    • thundercunt@lemm.ee
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      2
      ·
      edit-2
      1 year ago

      this feels too intentional with two big servers in this short time frame icl

      • zephyreks
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Reddit gotta do what Reddit gotta do to keep their IPO alive

  • sykccc
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Looks like it’s gonna be a bit really put a lid on this, but I guess another sign why this is a good system?

  • mintiefresh
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Yeah… I caught all that. Glad to see that they fixed it already though. Rough day for Rudd.

  • V699@kbin.social
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    I logged on and was like wtf because the site still works. Thought my phone was hacked heh

  • PenguinTD
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Is there a way to not do email verification but still using 2FA? That way, even if a user’s account is somehow phished/compromised, it won’t compromise their other accounts.

    • TruckBCMA
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I just successfully set up 2FA for an account on another instance that doesn’t have a verified email without any issues, so there’s no need to have done email verification to use 2FA.

    • elscallr@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Absolutely you can do no phone/email and MFA. It’s a TOTP thing like Google or Microsoft authenticator. The service doing the authentication has no idea how it’s done on the other side, it just makes sure the codes match.