⚠️ Scam alert: if anyone ever asks you to "temporarily change" the email address on your Mastodon account, DO NOT DO THIS.
There is currently a scammer posing as a server admin telling people to temporarily change their Mastodon account's email to an address supplied by the scammer. This is a scam, don't do it.
Real admins will NEVER ask you to do this.
You can see examples of this scam in the thread at ohai.social/@redsad/1157080301…
(Thanks @markwyner for the warning about this! 🙏 )
captain acab :antifa: (@redsad@ohai.social)
Attached: 1 image is this for real? someone said they accidentally reported my account and said to contact this person now they say they want me to change my email address edit: confirmed scammer. do not respond to a text like thisohai.social
Questa voce è stata modificata (1 mese fa)
Poliverso - notizie dal Fediverso ⁂ likes this.
reshared this
Billy O'Neal
in reply to Fedi.Tips • • •Мя ��
in reply to Fedi.Tips • • •> Real admins will NEVER ask you to do this.
yeah, *real* admins can change your email directly, without asking you :DDD
(usually we don't)
@markwyner
●
in reply to Мя �� • • •Hi Mark, so is that true, that real admins and mods can already make a change like that on their own?
@mo @FediTips
Mark Wyner Won’t Comply
in reply to ● • • •@fembot
Well…sort of. For example, I’m a moderator, but not an admin. I can see the email address of an account on our server, but I can’t edit it. However, a moderator who is also an admin could.
We also can’t see emails for accounts on other servers, even as an admin.
@mo @FediTips
Natasha Nox 🇺🇦🇵🇸
in reply to Mark Wyner Won’t Comply • • •Offtopic:
That's something people should be more aware in general. Any service that isn't (properly!) End-to-End Encrypted or can't be, like Social Media or Cloud services (if you want all the fancy Office, Gallery etc. features to work), can't prevent server admins from doing whatnot with any user account.
I'm admin of my families' cloud server. If I wanted to I could disable 2FA, change email, password and keys of any user account and take full control.
Mark Wyner Won’t Comply
in reply to Natasha Nox 🇺🇦🇵🇸 • • •@Natanox
Yep. If you’re not self hosting ANYTHING you aren’t engaged in a contract of trust.
@fembot @mo @FediTips
Strypey
in reply to Natasha Nox 🇺🇦🇵🇸 • • •@Natanox
> Any service that isn't (properly!) End-to-End Encrypted or can't be, like Social Media
Social network apps can (in theory) use E2EE and really ought to, for anything that isn't intended to be a public post.
> or Cloud services (if you want all the fancy Office, Gallery etc. features to work)
Why would this prevent E2EE being used?
@markwyner @fembot @mo @FediTips
Natasha Nox 🇺🇦🇵🇸
in reply to Strypey • • •@strypey *Technically* both could do it, BUT for social media websites this would blow the project scope completely out of proportion especially for FOSS projects and only ever apply to DMs (also to implement this in a user-friendly, yet secure way is extremely hard). It's more sensible to point to Signal, Threema etc.
For Cloud… you can do it, but this would automatically exclude *any* server-side feature (a lot!). That's why Nextcloud doesn't default to it.
@markwyner @fembot @mo @FediTips
Strypey
in reply to Natasha Nox 🇺🇦🇵🇸 • • •> for social media websites this would blow the project scope completely out of proportion especially for FOSS projects
*cough* Matrix *cough*
> It's more sensible to point to Signal, Threema etc
See above.
> this would automatically exclude *any* server-side feature
But ... how? Either I completely misunderstand what you're saying, or maybe you're getting confused between E2EE and on-device.
@markwyner @fembot @mo @FediTips
Natasha Nox 🇺🇦🇵🇸
in reply to Strypey • • •Natasha Nox 🇺🇦🇵🇸
in reply to Natasha Nox 🇺🇦🇵🇸 • • •Natasha Nox 🇺🇦🇵🇸
in reply to Natasha Nox 🇺🇦🇵🇸 • • •Strypey
in reply to Natasha Nox 🇺🇦🇵🇸 • • •(1/?)
Ok, let's back up a bit. Firstly, the End-to-End principle isn't really relevant here, because there's only one 'end' involved; the device you're using with the server. HTTPS already encrypts the connection between the two.
So what we're really talking about is encrypting what the server is doing - both processes and storage - so that it can only be accessed by the person doing their computing there, not an admin of that server.
@Natanox
@markwyner @fembot @mo @FediTips
Natasha Nox 🇺🇦🇵🇸
in reply to Strypey • • •@strypey @fembot @mo So you're talking about Secure Enclaves on the server while I'm talking about classical E2EE…?
This gets very technical and drastically Offtopic, we should split this thread to not flood people's inbox. 🫠
Strypey
in reply to Natasha Nox 🇺🇦🇵🇸 • • •@Natanox
> So you're talking about Secure Enclaves on the server while I'm talking about classical E2EE…?
On reflection, you're right that E2EE isn't the right term. But the first post I replied seemed to be implying that using a server without exposing everything you do to the admin isn't possible with "cloud" services (doing your computing on someone else's computer instead of our own). If that's not what you meant, then we're good.
@markwyner @fembot @mo @FediTips
Strypey
in reply to Strypey • • •(2/?)
> Any kind of compute would have to happen on the user devices
So LavaBit, CryptPad, Mega, and all the other projects that have developed services they say they can't see inside of, they're all doing everything on device, with only storage and sync happening on the server?
Strypey
in reply to Natasha Nox 🇺🇦🇵🇸 • • •@Natanox
> Matrix is a prime example of exactly what I said, that it's extremely hard and would blow up any social media project
The existence of a wide range of Free Code projects implementing Matrix suggests the opposite.
> requires the user to take care of their own keys to not see "Couldn't decrypt message" all the time
There have been UX teething problems. But I haven't had a UtD error since the software I'm using upgraded to the Matrix 2.0 approach.
@markwyner @fembot @mo @FediTips
Strypey
in reply to Natasha Nox 🇺🇦🇵🇸 • • •@Natanox
> for social media websites this would blow the project scope completely out of proportion especially for FOSS projects
I was so surprised by this I forgot to mention the obvious counterexample, the branch of the fediverse that includes Friendica, Hubzilla, and Forte. Federation between some of these use the DFRN/ Zot/ Nomad protocol to do some degree of E2EE on non-public posts. It doesn't seem to cause any more headache than implementing ActivityPub.
@markwyner @fembot @mo @FediTips
Natasha Nox 🇺🇦🇵🇸
in reply to Strypey • • •Noortje Van Leeuwen
in reply to Fedi.Tips • • •cleverle
in reply to Fedi.Tips • • •DJ Bambi (Eoin)
in reply to Fedi.Tips • • •Phillip Upton
in reply to Fedi.Tips • • •Can non-admins even see the email?
The reason ask is because I use unique emails for different things… and I expect only the admin could see the email I used for mastodon.
Mark Wyner Won’t Comply
in reply to Phillip Upton • • •Admins/mods can indeed see account email addresses. And IPs. We use those tools to help keep things safe. I believe this is true for most every system where you have an account.
It’s possible there’s a setting that restricts email addresses to only admins, with no mod access. But I’m not sure about that. I just assume all mods have access. But mods are sort of admins in many ways.
@FediTips
Mark Wyner Won’t Comply
Unknown parent • • •@MikeImBack
Spam is complicated. Once a person with nefarious intentions has access to a single account from someone, they can use info from that to take myriad other actions.
For example, they can use it to gain access to other accounts that person owns. They can also use the hacked account to impersonate the person, phishing with people the victim knows.
@FediTips
kaffando
in reply to Fedi.Tips • • •Mark Wyner Won’t Comply
in reply to kaffando • • •@kaffando
Well…you’d be surprised how many people get confused about this kind of thing. It’s easy to assume our knowledge/experience is universal, but it’s not. There are a lot of non-tech-savvy folks on Mastodon.
@FediTips @Mastodon
Kazinator
in reply to Mark Wyner Won’t Comply • • •@kaffando @Mastodon
But, but, ... thanks to this e-mail switch campaign, there are now fewer non-tech-savvy accounts on Mastodon.
kaffando
in reply to Kazinator • • •@Kazinator @Mastodon
You don't have to be tech-savvy. Just having a brain is enough 🤩
Natasha Nox 🇺🇦🇵🇸
in reply to kaffando • • •@kaffando @Kazinator @Mastodon Don't say that, scams win eventually simply by being so prevalent. Just browse r/Scams for a while and you'll see posts from IT experts who, contritely, describe how they fucked up and got hacked by a scammer.
Even worse is what happens through a compromised account. If someone would manage to get into my account an LLM trained on my public posts might extort money from many friendly people faster than I could reach our two admins.
❄️SnowyIn🇨🇦❄️
in reply to kaffando • • •@kaffando @Mastodon
I doubt it is a lack of intelligence that is the reason why people fall for scams; some people have a very trusting nature, or are tired/ill or distracted, stressed out and for a moment let their guard down.
I sincerely hope you are never caught off guard like so many intelligent folk.
James H
in reply to Fedi.Tips • • •Strypey
in reply to James H • • •@quanin
> I will nuke them and their instance from orbit
It's the only way to be sure ; )
VulcanTourist
in reply to Fedi.Tips • • •thermonuclear small claims
in reply to Fedi.Tips • • •Natasha Nox 🇺🇦🇵🇸 reshared this.
Mark Wyner Won’t Comply
in reply to thermonuclear small claims • • •@fullfathomfive
Absolutely. I do see some shaming and disbelief that folks are susceptible. That bothers me. It happens. Thank you for offering this reassurance to people.
@FediTips
Claudine C
in reply to Mark Wyner Won’t Comply • • •pluralistic.net/2025/04/05/tro…
Pluralistic: How the world’s leading breach expert got phished (05 Apr 2025) – Pluralistic: Daily links from Cory Doctorow
pluralistic.netreshared this
Mark Wyner Won’t Comply, Cory Doctorow, Vivadial e FKA ZOG reshared this.
Mark Wyner Won’t Comply
in reply to Claudine C • • •@claudinec
I love reading kind words from kind people more than I can express. Kindness and empathy are salve for the soul.
@fullfathomfive @FediTips @pluralistic
Fedi.Tips
in reply to Fedi.Tips • • •p.s. To add a bit of context, the scammer may message you to claim they reported you by accident. They then try to convince you to get in touch with a different account that pretends to be an admin who can "fix" the situation. All of the things they tell you are lies.
The scammer is actually running both accounts and just wants to take over your account by tricking you into changing your email address to their email address. They would then use your account to post other scams.
reshared this
RFanciola, Aral Balkan e Jones reshared this.
Kaliah
in reply to Fedi.Tips • • •Fedi.Tips
in reply to Kaliah • • •1) They are victims, it's just wrong to shame victims
2) All of us are vulnerable, we should all be keeping our guard up
3) Shaming discourages victims from warning others, so the shaming is just helping the scammers
Gareth 🏴
in reply to Fedi.Tips • • •@Kaliah
Here’s a good post from @pluralistic himself about how even if this sort of thing is your world, it still only takes a moment of distraction.
So yeah. It can happen to anyone. Blaming the victim doesn’t help, however “obvious” it seems to someone else with distance and hindsight.
pluralistic.net/2024/02/05/cyb…
Pluralistic: How I got scammed (05 Feb 2024) – Pluralistic: Daily links from Cory Doctorow
pluralistic.netthermonuclear small claims
in reply to Fedi.Tips • • •They're doing this as a full-time job and putting their whole attention on it. As @pluralistic says, the scammer only has to be lucky once. You have to be lucky always.
Professor_Stevens
in reply to Fedi.Tips • • •Frank Heijkamp
in reply to Fedi.Tips • • •@markwyner
Un Bourguignon
in reply to Fedi.Tips • • •👆🏼
Ping @admin .
Une comm en ce sens dans la langue de Molière pourrait être une bonne chose, non ?
@markwyner
Leeloo
in reply to Fedi.Tips • • •Not just for Mastodon, any service that uses email for resetting your password will have people trying this scam.
Don't fall for it anywhere.
And yes, a real admin will be able to change your email and password, etc on their own, so any time someone claiming to be an admin asks you to do that, it's a red flag.