The cause of a data leak at Mastodon was not an external intrusion, but an insufficient configuration of the Mastodon server for storing user data. This made it theoretically possible for every user of the service to view the data uploaded to files.mastodon.social. Mastodon discovered the bug on February 24th and closed it within 30 minutes. However, the leak had existed since the beginning of February because the infrastructure had been upgraded at the time, the provider writes in an e-mail.
Data exports public
Mastodon normally protects access to files with long, randomly generated file names, among other things, so that only those who know the link can access the files. However, this mechanism could be circumvented in the course of the upgrade. Much of the data accessible in this way is publicly available anyway.
However, this does not apply to the data exports downloaded by users, which also contain non-publicly shared posts, direct messages and attachments. In a statement, Mastodon stated that this archive data was immediately deleted to prevent further access to it. However, it was not possible to prevent access that had already taken place.
The temporarily public data exports contain the public profile, your own favorites and bookmarks as well as posts and media attachments. Mastodon assured that neither e-mail addresses nor other personal identification data were included. No further action is required from users.
(uk)
To home page
