🚨 Kolektiva.social SECURITY ALERT 🚨
This is an alert for Kolektiva.social users. Please read this post in its entirety!
In mid-May 2023, the home of one of Kolektiva.social's admins was raided, and all their electronics were seized by the FBI. The raid was part of an investigation into a local protest. Kolektiva was neither a subject nor target of this investigation. Today, that admin was charged in relation to their alleged participation in this protest.
Unfortunately, at the time of the raid, our admin was troubleshooting an issue and working with a backup copy of the Kolektiva.social database. This backup, dated from the first week of May 2023, was in an *unencrypted* state when the raid occurred and it was seized, along with everything else.
The database is the heart of a Mastodon server. A database copy such as the one seized may include any of the following user data, in this case up to date as of early May 2023:
- User account information like the e-mail address associated with your account, your followers and follows, etc.
- All your posts: public, unlisted, followers-only, *and direct ("DMs")*.
- Possibly IP addresses associated with your account - IP addresses on Kolektiva.social are logged for 3 days and then deleted, so IP addresses from any logins in the 3 days prior to the database backup date would be included.
- A hashed ("encrypted") version of your password.
🚨 👉 As a precaution we highly recommend that all users on Kolektiva.social *change their password immediately* to a new, unique, and strong password.
We sincerely apologize to all our users and regret this breach. In hindsight, it was obviously a mistake to leave a copy of the database in an unencrypted state. Unfortunately, what would otherwise have been a small mistake happened to coincide with a raid, due to bad luck and spectacularly bad timing.
We understand that our users and other people on the Fediverse will have a lot of questions. We will try to answer them as best we can, but please be patient and bear in mind that we may be overwhelmed with messages, and may be delayed in responding or unable to provide answers to certain questions for legal or technical reasons. As a security culture reminder, it can be extremely harmful to the individuals charged and to our community to openly speculate on the Internet about alleged criminal activity or about what law enforcement may be able to do with seized data. Our present awareness is that the seized Kolektiva data is unrelated to the federal investigation and prosecution and we are exploring legal avenues to have the seized data returned and copies destroyed.
Thank you for your understanding and solidarity :black_sparkling_heart:
👇 Please see our replies to this post for additional information (1/?) 👇
The FBI raided one of the admins of Kolektiva and a full copy of the website's database, dated early-may, was among the data seized. Full details in the linked URL.
Kolektiva.social is a Mastodon instance focused on radical politics and activism, with about 6.6K active users. One of the largest open-signup instances of its kind.
Take thisas a reminder: Do not dox yourself in DMs on social media. Treat them as if they were public, at least in terms of opsec.
If you want your communications to be properly private, use Matrix or something. This includes hexbear
Emails and other signup info too. If you have any reason to think you could be targeted by feds, other steps like using a VPN or Tor might be next. But the above advice is true for most social media users, celeb DMs leak all the time, for example. There's always a way.
"No, your honor, I wasn't going to nuke all of humanity, the aliens were supposed to do it to save the dolphins... huh? No, I've never read any posadist literature."
Yes, DMs are pretty much never deleted, the kollektiva instance leaked the IP adresses of users within a 3 day range in the past, as an unencrypted db image was currently worked at.
This means that you have to use VPNs/TOR and dynamic IPs to stay secure (or go the public varying internet cafe route).
not really, just that cf was dropped in the migration. nobody ever really liked cloudflare as far as I know but it did make certain things a bit faster and safer from certain kinds of attack. At the expense of all traffic going through the servers of a US company, who could if they wanted to probably spy on contents of traffic
Yeah it made sense as a practical choice. Dealing with potential DDoSes is a much bigger priority for a silly online forum than attempting and failing to be opaque to the US government xD
also the US government can always get the data from any service that wants to do business in the US. A service being hosted elsewhere does not mean it will not comply with US laws, especially if you're paying for it with a credit card or something and it has a sizeable US userbase.
Scary stuff
Take this as a reminder:Do not dox yourself in DMs on social media. Treat them as if they were public, at least in terms of opsec.If you want your communications to be properly private, use Matrix or something. This includes hexbear
Emails and other signup info too. If you have any reason to think you could be targeted by feds, other steps like using a VPN or Tor might be next. But the above advice is true for most social media users, celeb DMs leak all the time, for example. There's always a way.
Removed by mod
I am now imagining Gilbert Gottfried reading a BMF post in a federal courtroom.
Shame he passed away last year
we missed out on the best timeline by a wide margin, this is only further proof
The "wow I just found out" meme but unironic.
WAP
“Have you seen Kevin’s hat? It looks so stupid”
"No, your honor, I wasn't going to nuke all of humanity, the aliens were supposed to do it to save the dolphins... huh? No, I've never read any posadist literature."
Another KKKracka down! Unlimited genocide on the first world! Woooohoooooo!!! But in Minecraft obviously
Removed by mod
Fuckin Kyle
never known a good kyle
Thanks for taking the heat Kyle. They won't go after us minecrafters when they have you to chase down.
Strangely out of character for a Kyle though. I've only know kyles to be horrible humans never altruistic.
Here's to you 🍷 the best Kyle of them all.
it's actually funny how true this is, all jokes aside
Yes, DMs are pretty much never deleted, the kollektiva instance leaked the IP adresses of users within a 3 day range in the past, as an unencrypted db image was currently worked at.
This means that you have to use VPNs/TOR and dynamic IPs to stay secure (or go the public varying internet cafe route).
And Hexbear doesn't even try since it uses cloudflare lmao
outdated reference. cloudflare is no longer used (at least not their CDN functionality)
ooh thanks for the info! Do you know what they're doing now?
not really, just that cf was dropped in the migration. nobody ever really liked cloudflare as far as I know but it did make certain things a bit faster and safer from certain kinds of attack. At the expense of all traffic going through the servers of a US company, who could if they wanted to probably spy on contents of traffic
Yeah it made sense as a practical choice. Dealing with potential DDoSes is a much bigger priority for a silly online forum than attempting and failing to be opaque to the US government xD
also the US government can always get the data from any service that wants to do business in the US. A service being hosted elsewhere does not mean it will not comply with US laws, especially if you're paying for it with a credit card or something and it has a sizeable US userbase.