I did this too, everything had feet by the time I finished. Everything.

Everything except phones, which actually could do with having them.

(This isn’t a completely new thing, in the 1980s I had an A-Team watch that had led lights on it.)

Very, seems like great work.

First - really good summary and sounds like everyone is working hard.

Cross posting the below comment.

Under GDPR if you have had a data breach you have a legal obligation to assess whether you need to report it and you must make the report within 72 hours of discovering the breach.

There are other types of reportable breaches too, I only mention data as it sounds most likely. You may or may not be subject to PECR which may also have been breached although less likely. I don’t really have enough familiarity with the regulation to discuss that one.

If you are not sure if there has been a breach you may also need to discuss it with the relevant body or make a report.

Please can you update what action you have taken regarding this and if the incident was reportable or not and the reasons why. Edit - from that new information, it sounds like this is a reportable breach.

For a full understanding, it would be good to know if you had 2FA enabled on the compromised account particularly as it had admin privileges and if so how 2FA was circumvented with this exploit.

It would also be good to know what measures you have in place to prevent the same or other malicious attempts on your Open Collective and Patreon accounts as issues with those are potentially more serious. They may not be vulnerable to this, but it is going to be reassuring to know there is good security practice, 2FA protection etc enabled and you have robust procedures in place.

It’s been handled amazingly well on the whole, too!

I think that tends to be the starting point, but the user base is expanding quickly and is becoming way more diverse. There are already plenty of users who don’t fit in that category, and I suspect it will continue to grow.

Whoever made the post won 1 million lem-coins maybe

I wonder what the one millionth post was (hopefully something dumb)

I think I fall on the side of preemptive defederation, not just because of data harvesting etc but also because the incoming communities will be huge and dwarf anything already here - look at what has happened here already as communities try to merge and establish. Everything dominant will become meta along with whatever mods and rules etc they already have in place. Scary.

If you understand tech, you will get it. But lets face it, most people don’t know wtf they are doing lol

This should be the Fediverse tagline

Not at all, just wanted to make sure! I do sometimes wonder if people question if it is a legit discussion, especially given my obviously grown up and sensible user name haha.

Absolutely, sorry I don’t mean to sound like I am arguing with you - sorry if it comes across like that! I agree completely with what you’ve said and you’ve been really helpful with things I didn’t know about. I’m loving Lemmy and want it to succeed and I’m just coming from a place of genuine concern and wanting to see the discussions had, especially where I have dealt with these issues in passing in my day job!

Absolutely, it is just surprising there has not been quicker action given the severity of the potential consequences.

Hopefully all will be well!

Awesome, thank you so much! I didn’t know :)

Hopefully there can be a mechanism so that anyone who is an admin or controlling data in instances knows about it and regularly is alerted to any issue which might impact GDPR compliance.

This is one reason I think there needs to be a public issue tracker and backlog.

If issues deleting data is a known issue, that means it is known Lemmy / instances cannot comply with right to be forgotten requests. I think there are also rules around informing people who have made requests why you are not taking action, how they make a complaint (in UK this is to the ICO), and that they have a right to get this enforced though legal proceedings.

It feels like it’s not just some elements not complying, it’s like a stack of things that just goes on and on!

Totally agree, there is really valuable discussion to be had and collectively it needs to be resolved and approached holistically and consistently across as many instances as possible. Just because you’re someone running a tiny server doesn’t mean you can’t get absolutely dragged over the coals for breach and or non-compliance.

Even things like reporting incidents and breaches of the service for each instance - it is very unlikely tiny servers can or will comply with so many aspects of GDPR.

I think the fact that someone could maliciously (or actually, genuinely) report instances now using a relatively straightforward process should be grounds to get the wheels moving on this really!

For example, you can report non-compliance with cookie information in a one page form here: https://ico.org.uk/make-a-complaint/cookies/report-cookie-concerns/. The process for consumers to kick off a potentially serious enforceable action is very straightforward.

Awesome! I’m pretty sure there are some great websites with resources if you need it, although they likely come with a caveat they are not legal guidance :)

Totally, I do wonder how compliant these systems can be!

Thank you! Understand - I think the issue is there there is no documented policy on some instances, I don’t know how each instance handles / shares my data and what the retention policies etc are. I seem to remember there are more controls required depending on where the data is being transferred to. Anyway, that’s getting beyond what I am familiar with!

This is really interesting, thank you - I definitely agree there is grey areas and work to be done to ensure compliance as far as is possible!

It will be interesting to see how it all unpacks.