โ ๏ธ Scam alert: if anyone ever asks you to "temporarily change" the email address on your Mastodon account, DO NOT DO THIS.
There is currently a scammer posing as a server admin telling people to temporarily change their Mastodon account's email to an address supplied by the scammer. This is a scam, don't do it.
Real admins will NEVER ask you to do this.
You can see examples of this scam in the thread at ohai.social/@redsad/1157080301โฆ
(Thanks @markwyner for the warning about this! ๐ )
captain acab :antifa: (@redsad@ohai.social)
Attached: 1 image is this for real? someone said they accidentally reported my account and said to contact this person now they say they want me to change my email address edit: confirmed scammer. do not respond to a text like thisohai.social
This entry was edited (2 weeks ago)
Poliverso - notizie dal Fediverso โ likes this.
reshared this
Billy O'Neal
in reply to Fedi.Tips ๐ • • •ะั ๏ฟฝ๏ฟฝ
in reply to Fedi.Tips ๐ • • •> Real admins will NEVER ask you to do this.
yeah, *real* admins can change your email directly, without asking you :DDD
(usually we don't)
@markwyner
โ
in reply to ะั ๏ฟฝ๏ฟฝ • • •Hi Mark, so is that true, that real admins and mods can already make a change like that on their own?
@mo @FediTips
Mark Wyner Wonโt Comply
in reply to โ • • •@fembot
Wellโฆsort of. For example, Iโm a moderator, but not an admin. I can see the email address of an account on our server, but I canโt edit it. However, a moderator who is also an admin could.
We also canโt see emails for accounts on other servers, even as an admin.
@mo @FediTips
Natasha Nox ๐บ๐ฆ๐ต๐ธ
in reply to Mark Wyner Wonโt Comply • • •Offtopic:
That's something people should be more aware in general. Any service that isn't (properly!) End-to-End Encrypted or can't be, like Social Media or Cloud services (if you want all the fancy Office, Gallery etc. features to work), can't prevent server admins from doing whatnot with any user account.
I'm admin of my families' cloud server. If I wanted to I could disable 2FA, change email, password and keys of any user account and take full control.
Mark Wyner Wonโt Comply
in reply to Natasha Nox ๐บ๐ฆ๐ต๐ธ • • •@Natanox
Yep. If youโre not self hosting ANYTHING you arenโt engaged in a contract of trust.
@fembot @mo @FediTips
Strypey
in reply to Natasha Nox ๐บ๐ฆ๐ต๐ธ • • •@Natanox
> Any service that isn't (properly!) End-to-End Encrypted or can't be, like Social Media
Social network apps can (in theory) use E2EE and really ought to, for anything that isn't intended to be a public post.
> or Cloud services (if you want all the fancy Office, Gallery etc. features to work)
Why would this prevent E2EE being used?
@markwyner @fembot @mo @FediTips
Natasha Nox ๐บ๐ฆ๐ต๐ธ
in reply to Strypey • • •@strypey *Technically* both could do it, BUT for social media websites this would blow the project scope completely out of proportion especially for FOSS projects and only ever apply to DMs (also to implement this in a user-friendly, yet secure way is extremely hard). It's more sensible to point to Signal, Threema etc.
For Cloudโฆ you can do it, but this would automatically exclude *any* server-side feature (a lot!). That's why Nextcloud doesn't default to it.
@markwyner @fembot @mo @FediTips
Strypey
in reply to Natasha Nox ๐บ๐ฆ๐ต๐ธ • • •> for social media websites this would blow the project scope completely out of proportion especially for FOSS projects
*cough* Matrix *cough*
> It's more sensible to point to Signal, Threema etc
See above.
> this would automatically exclude *any* server-side feature
But ... how? Either I completely misunderstand what you're saying, or maybe you're getting confused between E2EE and on-device.
@markwyner @fembot @mo @FediTips
Natasha Nox ๐บ๐ฆ๐ต๐ธ
in reply to Strypey • • •Natasha Nox ๐บ๐ฆ๐ต๐ธ
in reply to Natasha Nox ๐บ๐ฆ๐ต๐ธ • • •Natasha Nox ๐บ๐ฆ๐ต๐ธ
in reply to Natasha Nox ๐บ๐ฆ๐ต๐ธ • • •Strypey
in reply to Natasha Nox ๐บ๐ฆ๐ต๐ธ • • •(1/?)
Ok, let's back up a bit. Firstly, the End-to-End principle isn't really relevant here, because there's only one 'end' involved; the device you're using with the server. HTTPS already encrypts the connection between the two.
So what we're really talking about is encrypting what the server is doing - both processes and storage - so that it can only be accessed by the person doing their computing there, not an admin of that server.
@Natanox
@markwyner @fembot @mo @FediTips
Natasha Nox ๐บ๐ฆ๐ต๐ธ
in reply to Strypey • • •@strypey @fembot @mo So you're talking about Secure Enclaves on the server while I'm talking about classical E2EEโฆ?
This gets very technical and drastically Offtopic, we should split this thread to not flood people's inbox. ๐ซ
Strypey
in reply to Natasha Nox ๐บ๐ฆ๐ต๐ธ • • •@Natanox
> So you're talking about Secure Enclaves on the server while I'm talking about classical E2EEโฆ?
On reflection, you're right that E2EE isn't the right term. But the first post I replied seemed to be implying that using a server without exposing everything you do to the admin isn't possible with "cloud" services (doing your computing on someone else's computer instead of our own). If that's not what you meant, then we're good.
@markwyner @fembot @mo @FediTips
Strypey
in reply to Strypey • • •(2/?)
> Any kind of compute would have to happen on the user devices
So LavaBit, CryptPad, Mega, and all the other projects that have developed services they say they can't see inside of, they're all doing everything on device, with only storage and sync happening on the server?
Strypey
in reply to Natasha Nox ๐บ๐ฆ๐ต๐ธ • • •@Natanox
> Matrix is a prime example of exactly what I said, that it's extremely hard and would blow up any social media project
The existence of a wide range of Free Code projects implementing Matrix suggests the opposite.
> requires the user to take care of their own keys to not see "Couldn't decrypt message" all the time
There have been UX teething problems. But I haven't had a UtD error since the software I'm using upgraded to the Matrix 2.0 approach.
@markwyner @fembot @mo @FediTips
Strypey
in reply to Natasha Nox ๐บ๐ฆ๐ต๐ธ • • •@Natanox
> for social media websites this would blow the project scope completely out of proportion especially for FOSS projects
I was so surprised by this I forgot to mention the obvious counterexample, the branch of the fediverse that includes Friendica, Hubzilla, and Forte. Federation between some of these use the DFRN/ Zot/ Nomad protocol to do some degree of E2EE on non-public posts. It doesn't seem to cause any more headache than implementing ActivityPub.
@markwyner @fembot @mo @FediTips
Natasha Nox ๐บ๐ฆ๐ต๐ธ
in reply to Strypey • • •Noortje Van Leeuwen
in reply to Fedi.Tips ๐ • • •cleverle
in reply to Fedi.Tips ๐ • • •DJ Bambi (Eoin)
in reply to Fedi.Tips ๐ • • •Phillip Upton
in reply to Fedi.Tips ๐ • • •Can non-admins even see the email?
The reason ask is because I use unique emails for different thingsโฆ and I expect only the admin could see the email I used for mastodon.
Mark Wyner Wonโt Comply
in reply to Phillip Upton • • •Admins/mods can indeed see account email addresses. And IPs. We use those tools to help keep things safe. I believe this is true for most every system where you have an account.
Itโs possible thereโs a setting that restricts email addresses to only admins, with no mod access. But Iโm not sure about that. I just assume all mods have access. But mods are sort of admins in many ways.
@FediTips
Mark Wyner Wonโt Comply
Unknown parent • • •@MikeImBack
Spam is complicated. Once a person with nefarious intentions has access to a single account from someone, they can use info from that to take myriad other actions.
For example, they can use it to gain access to other accounts that person owns. They can also use the hacked account to impersonate the person, phishing with people the victim knows.
@FediTips
kaffando
in reply to Fedi.Tips ๐ • • •Mark Wyner Wonโt Comply
in reply to kaffando • • •@kaffando
Wellโฆyouโd be surprised how many people get confused about this kind of thing. Itโs easy to assume our knowledge/experience is universal, but itโs not. There are a lot of non-tech-savvy folks on Mastodon.
@FediTips @Mastodon
โ๏ธSnowyIn๐จ๐ฆโ๏ธ
in reply to kaffando • • •@kaffando @Mastodon
I doubt it is a lack of intelligence that is the reason why people fall for scams; some people have a very trusting nature, or are tired/ill or distracted, stressed out and for a moment let their guard down.
I sincerely hope you are never caught off guard like so many intelligent folk.
Mike. ๐ฉผ๐จ๐ฆ
in reply to Mark Wyner Wonโt Comply • • •James H
in reply to Fedi.Tips ๐ • • •Strypey
in reply to James H • • •@quanin
> I will nuke them and their instance from orbit
It's the only way to be sure ; )
VulcanTourist
in reply to Fedi.Tips ๐ • • •thermonuclear small claims
in reply to Fedi.Tips ๐ • • •Roknrol reshared this.
Mark Wyner Wonโt Comply
in reply to thermonuclear small claims • • •@fullfathomfive
Absolutely. I do see some shaming and disbelief that folks are susceptible. That bothers me. It happens. Thank you for offering this reassurance to people.
@FediTips
Claudine C
in reply to Mark Wyner Wonโt Comply • • •pluralistic.net/2025/04/05/troโฆ
Pluralistic: How the worldโs leading breach expert got phished (05 Apr 2025) โ Pluralistic: Daily links from Cory Doctorow
pluralistic.netreshared this
Mark Wyner Won’t Comply and Cory Doctorow reshared this.
Mark Wyner Wonโt Comply
in reply to Claudine C • • •@claudinec
I love reading kind words from kind people more than I can express. Kindness and empathy are salve for the soul.
@fullfathomfive @FediTips @pluralistic
Fedi.Tips ๐
in reply to Fedi.Tips ๐ • • •p.s. To add a bit of context, the scammer may message you to claim they reported you by accident. They then try to convince you to get in touch with a different account that pretends to be an admin who can "fix" the situation. All of the things they tell you are lies.
The scammer is actually running both accounts and just wants to take over your account by tricking you into changing your email address to their email address. They would then use your account to post other scams.
reshared this
Verฤandi K Soldusty and Aral Balkan reshared this.
Kaliah
in reply to Fedi.Tips ๐ • • •Fedi.Tips ๐
in reply to Kaliah • • •1) They are victims, it's just wrong to shame victims
2) All of us are vulnerable, we should all be keeping our guard up
3) Shaming discourages victims from warning others, so the shaming is just helping the scammers
Gareth ๐ด๓ ง๓ ข๓ ท๓ ฌ๓ ณ๓ ฟ
in reply to Fedi.Tips ๐ • • •@Kaliah
Hereโs a good post from @pluralistic himself about how even if this sort of thing is your world, it still only takes a moment of distraction.
So yeah. It can happen to anyone. Blaming the victim doesnโt help, however โobviousโ it seems to someone else with distance and hindsight.
pluralistic.net/2024/02/05/cybโฆ
Pluralistic: How I got scammed (05 Feb 2024) โ Pluralistic: Daily links from Cory Doctorow
pluralistic.netthermonuclear small claims
in reply to Fedi.Tips ๐ • • •They're doing this as a full-time job and putting their whole attention on it. As @pluralistic says, the scammer only has to be lucky once. You have to be lucky always.
Professor_Stevens
in reply to Fedi.Tips ๐ • • •Frank Heijkamp
in reply to Fedi.Tips ๐ • • •@markwyner
Un Bourguignon
in reply to Fedi.Tips ๐ • • •๐๐ผ
Ping @admin .
Une comm en ce sens dans la langue de Moliรจre pourrait รชtre une bonne chose, non ?
@markwyner
Leeloo
in reply to Fedi.Tips ๐ • • •Not just for Mastodon, any service that uses email for resetting your password will have people trying this scam.
Don't fall for it anywhere.
And yes, a real admin will be able to change your email and password, etc on their own, so any time someone claiming to be an admin asks you to do that, it's a red flag.