So, Mastodon.social had a security breach and all private and follower-only messages were openly available.
This should serve as a reminder that DMs here are in no way private or secure.
Kinda a big deal
Conversation
Notices
-
Embed this notice
sanguish (sanguish@iosdev.space)'s status on Friday, 17-Mar-2023 11:03:35 JST 
sanguish
-
Embed this notice
Eugen Rochko (gargron@mastodon.social)'s status on Friday, 17-Mar-2023 11:02:46 JST 
Eugen Rochko
@sanguish How did you turn this into "all"?
-
Embed this notice
Eugen Rochko (gargron@mastodon.social)'s status on Friday, 17-Mar-2023 11:21:16 JST
Eugen Rochko
@chucker @reneestephen @sanguish User archive takeouts are deleted after 7 days. Yes, we did rely on high-entropy randomly generated filenames to secure access, which normally would not be a problem with a correctly configured bucket policy.
-
Embed this notice
Renée (reneestephen@mastodon.social)'s status on Friday, 17-Mar-2023 11:21:18 JST 
Renée
@sanguish sound like just archives (if you went to back up your profile or migrate your account), not all -- pretty big difference! Strongly recommend editing your post for clarity and accuracy.
Still not great, to be fair; sounds like archives were stored public by default? (Isn't that how the Panama Papers site got breached ??) ... Is this a protocol-wide thing or just local to mastodon.social? So potential unauthorized access, but no guarantee someone guessed filenames or actually grabbed.
-
Embed this notice
Sören (chucker@norden.social)'s status on Friday, 17-Mar-2023 11:21:18 JST 
Sören
@reneestephen @sanguish so do archives not auto-delete? I figured their intent was to be downloaded within a reasonable span of time.
If they do auto-delete, that suggests this not only affects only people who requested an archive, but also only those who have done so recently.
-
Embed this notice
All GNU social JP content and data are available under the