As more people flock over to the fediverse from reddit, twitter and other centralised proprietary networks it is important that you keep your e-mail and other important accounts safe from hijacking attempts. Since anyone can simply spin up an instance and host users and communities it is important that you don’t divulge your internet personal details to anyone as these can be harvested by the instance owner and by any instance you erroneously try to login to or simply the instance could be hacked and the user data harvasted. With this in mind here are some suggestions for good OPSEC (Operation Security):
- Don’t use your main e-mail address. Either create a new one or better sign up for an e-mail forwarding service and set-up forwarding addresses for each instance you sign up to. Since these are throw away addresses, if it gets leaked you can just delete the address and create a new one without compromising your main e-mail address. (Bonus: this can also be used to use unique addresses for traditional web services and make it easy to know how and from where an address got leaked)
Here is a nice article with some e-mail forwarding providers to get you started
- Use a password manager and generate strong and unique passwords for any and all instances and services you use, this way you won’t divulge a password used on another account to the instance owner, or if the address used (especially if you used your main e-mail address)/got leaked your account will still be safe from hijacking by attempting to use password dictionaries to guess the password.
Some passvault suggestions:
- Passbolt (self hosted)
- Bitwarden (self hosted and hosted options)
- Vaultwarden (unlocked self hosted alternative to bitwarden)
These are my main security suggestions for all you new and existing lemmings. Feel free to suggest other security considerations to have and other services beyond those mentioned. Stay safe and have fun posting and commenting.
Weird question - if you change your email address, is the change you made, and the old and new email address now federated out to all the other instances, meaning in a hypothetical leak, both email addresses get leaked? Or would only the newest one be saved and federated, and therefore leaked?
I do not believe either mastodon or lemmy federate your email address at all. Only the server you join has that information. You might have to worry if you have signed up to an uncrupulous instance. That instance admin could sell your email, I guess. They would have access to any email you gave them, so changing it would probably not help. I think the problem is a little overstated, honestly.
federated users and local users are stored in the database in different tables. The federated users table doesn’t have emails saved in it.
My question as well! Since I didn’t know this at signup and used my primary email, am I screwed no matter what in the event of unscrupulous data collection?
Well, it does mean that you could be doxxed if a leak or attack happens. It’s up to you to decide how much you care about that risk.
Though also bear in mind that you can be doxxed no matter what if you share enough details online, so unless you’re planning to be extremely careful with every shred of information you reveal, it probably honestly doesn’t matter.