Mastodon has suffered a serious data leak. According to the open source solution with Twitter connections, the Mastodon.social instance is affected. Apparently, third parties have even gained access to direct messages.
Misconfiguration led to data leak at Mastodon
Anyone who is in the Mastodon.social instance may have received a message from the service in recent days. Thus, those affected by a data leak that has now become known were informed about a “Security Incident on Mastodon.social”. Third parties are said to have had access to direct messages or posts that are exclusively addressed to followers. However, CEO Eugen Rochko also finds reassuring words in his warning e-mail. At the moment, it is probably impossible that personal data of users is also affected by the data leak. The cause of the leak was probably a misconfiguration. This has allowed third parties to easily access the data in the instance archive.
More on the topic:
- New Twitter rules ban references to Mastodon, Facebook or Linktree
- Mastodon: A good alternative to Twitter?
Data leak existed for at least three months
According to the service, they registered that the misconfiguration existed on February 24. Subsequently, it is said to have taken only half an hour to fix the error. However, the question arises as to how long criminals had access to the exposed data. The service itself suspects that it existed since February 2. However, a user of the social network gives a different information. He reported that his data had already been exported on December 5. If this is the case, the leak would have lasted for more than three months. However, Rochko contradicted this information.
The CEO also revealed the exact number of people affected. If you add the users of Mastodon.social with those of Mastodon.online, which was also affected, you get more than 6,000 users. In addition, it was human error that led to the misconfiguration. The wrong setting was also found in other channels of the service. Of course, it was corrected there as well. Rochko told colleagues at Golem.de that no evidence of data access could be found in the archives. Nevertheless, access cannot be ruled out with absolute certainty.