Mastodawn

⚠️ Scam alert: if anyone ever asks you to "temporarily change" the email address on your Mastodon account, DO NOT DO THIS.

There is currently a scammer posing as a server admin telling people to temporarily change their Mastodon account's email to an address supplied by the scammer. This is a scam, don't do it.

Real admins will NEVER ask you to do this.

You can see examples of this scam in the thread at https://ohai.social/@redsad/115708030185038699

(Thanks @markwyner for the warning about this! 🙏 )

captain acab :antifa: (@redsad@ohai.social)

Attached: 1 image is this for real? someone said they accidentally reported my account and said to contact this person now they say they want me to change my email address edit: confirmed scammer. do not respond to a text like this

ohai.social

Fedi.Tips 🎄2d ago

p.s. To add a bit of context, the scammer may message you to claim they reported you by accident. They then try to convince you to get in touch with a different account that pretends to be an admin who can "fix" the situation. All of the things they tell you are lies.

The scammer is actually running both accounts and just wants to take over your account by tricking you into changing your email address to their email address. They would then use your account to post other scams.

@FediTips I've seen a similar scam go around on discord. I'd imagine it'd be easy to fall for this sort of thing if you aren't tech inclined or don't know about this stuff. I hope all of these jerks get exactly what's coming to them and like someone else said in this thread, let's not shame people if they do end up falling for scams.

Fedi.Tips 🎄2d ago

Yeah, never a good idea to shame anyone as:
1) They are victims, it's just wrong to shame victims
2) All of us are vulnerable, we should all be keeping our guard up
3) Shaming discourages victims from warning others, so the shaming is just helping the scammers

Gareth 🏴󠁧󠁢󠁷󠁬󠁳󠁿2d ago

@FediTips @Kaliah
Here’s a good post from @pluralistic himself about how even if this sort of thing is your world, it still only takes a moment of distraction.

So yeah. It can happen to anyone. Blaming the victim doesn’t help, however “obvious” it seems to someone else with distance and hindsight.

https://pluralistic.net/2024/02/05/cyber-dunning-kruger/#swiss-cheese-security

Pluralistic: How I got scammed (05 Feb 2024) – Pluralistic: Daily links from Cory Doctorow

thermonuclear small claims 1d ago

@FediTips @Kaliah
They're doing this as a full-time job and putting their whole attention on it. As @pluralistic says, the scammer only has to be lucky once. You have to be lucky always.

@Kaliah @FediTips "I've accidentally reported you" is one of the standard scams these days. It's going round on Tumblr. It's going round on Archive of Our Own. It's basically going round any service where you MIGHT be able to report people, because "your account is at risk for nebulous reasons" is a strong motivator that fools the unaware.

Billy O'Neal 3d ago

@FediTips @markwyner "Just temporarily set your passcode to 1 1 1 1 to reenact Meet the Spy..."

Мя ��3d ago

@FediTips
> Real admins will NEVER ask you to do this.

yeah, *real* admins can change your email directly, without asking you :DDD
(usually we don't)

@markwyner
Hi Mark, so is that true, that real admins and mods can already make a change like that on their own?

Mark Wyner Won’t Comply

Well…sort of. For example, I’m a moderator, but not an admin. I can see the email address of an account on our server, but I can’t edit it. However, a moderator who is also an admin could.

We also can’t see emails for accounts on other servers, even as an admin.

Just Bob 2d ago

@markwyner @fembot @mo @FediTips

There is also the cli code that I've used to fix an error for an account on Beamship
...

Natasha Nox 🇺🇦🇵🇸2d ago

@markwyner @fembot @mo @FediTips
Offtopic:
That's something people should be more aware in general. Any service that isn't (properly!) End-to-End Encrypted or can't be, like Social Media or Cloud services (if you want all the fancy Office, Gallery etc. features to work), can't prevent server admins from doing whatnot with any user account.
I'm admin of my families' cloud server. If I wanted to I could disable 2FA, change email, password and keys of any user account and take full control.

@Natanox @markwyner @mo @FediTips

Thank you both, that's helpful to know.

Mark Wyner Won’t Comply

Yep. If you’re not self hosting ANYTHING you aren’t engaged in a contract of trust.

@fembot @mo @FediTips

@Natanox
> Any service that isn't (properly!) End-to-End Encrypted or can't be, like Social Media

Social network apps can (in theory) use E2EE and really ought to, for anything that isn't intended to be a public post.

> or Cloud services (if you want all the fancy Office, Gallery etc. features to work)

Why would this prevent E2EE being used?

@markwyner @fembot @mo @FediTips

Natasha Nox 🇺🇦🇵🇸1d ago

@strypey *Technically* both could do it, BUT for social media websites this would blow the project scope completely out of proportion especially for FOSS projects and only ever apply to DMs (also to implement this in a user-friendly, yet secure way is extremely hard). It's more sensible to point to Signal, Threema etc.

For Cloud… you can do it, but this would automatically exclude *any* server-side feature (a lot!). That's why Nextcloud doesn't default to it.
@markwyner @fembot @mo @FediTips

@Natanox
> for social media websites this would blow the project scope completely out of proportion especially for FOSS projects

*cough* Matrix *cough*

> It's more sensible to point to Signal, Threema etc

See above.

> this would automatically exclude *any* server-side feature

But ... how? Either I completely misunderstand what you're saying, or maybe you're getting confused between E2EE and on-device.

@markwyner @fembot @mo @FediTips

Natasha Nox 🇺🇦🇵🇸1d ago

@strypey @markwyner @fembot @mo @FediTips Matrix is an absolute clusterfuck that doesn't work properly in so many cases it's not even funny anymore and requires the user to take care of their own keys to not see "Couldn't decrypt message" all the time (and even if you got the keys it loves to still not work properly, deauthenticate your session willy-nilly, etc.). If anything Matrix is a prime example of exactly what I said, that it's extremely hard and would blow up any social media project.

Natasha Nox 🇺🇦🇵🇸1d ago

@strypey @markwyner @fembot @mo @FediTips With Cloud, to make sure admins can't just take over your account or look into things, everything has to be encrypted by your devices so nobody but you is able to decrypt it without your password (which is used to derive the encryption key from). Changing said password without entering the old one, like a server admin can do, would permanently lock the account out of its own files.

Natasha Nox 🇺🇦🇵🇸1d ago

@strypey @markwyner @fembot @mo @FediTips This however also means that the server can't read any of the files and therefore has no way to do anything with them, let it be automated calendar features, any kind of sorting, tagging, face recognition on your photos etc. Any kind of compute would have to happen on the user devices. This is technically possible but often either inherently user-unfriendly are not feasible for various reasons (battery, bandwidth, whatever).

(1/?)

Ok, let's back up a bit. Firstly, the End-to-End principle isn't really relevant here, because there's only one 'end' involved; the device you're using with the server. HTTPS already encrypts the connection between the two.

So what we're really talking about is encrypting what the server is doing - both processes and storage - so that it can only be accessed by the person doing their computing there, not an admin of that server.

@Natanox
@markwyner @fembot @mo @FediTips

Natasha Nox 🇺🇦🇵🇸1d ago

@strypey @markwyner @fembot @mo @FediTips So you're talking about Secure Enclaves on the server while I'm talking about classical E2EE…?

This gets very technical and drastically Offtopic, we should split this thread to not flood people's inbox. 🫠

@Natanox
> So you're talking about Secure Enclaves on the server while I'm talking about classical E2EE…?

On reflection, you're right that E2EE isn't the right term. But the first post I replied seemed to be implying that using a server without exposing everything you do to the admin isn't possible with "cloud" services (doing your computing on someone else's computer instead of our own). If that's not what you meant, then we're good.

@markwyner @fembot @mo @FediTips

(2/?)

> Any kind of compute would have to happen on the user devices

So LavaBit, CryptPad, Mega, and all the other projects that have developed services they say they can't see inside of, they're all doing everything on device, with only storage and sync happening on the server?

@Natanox
> Matrix is a prime example of exactly what I said, that it's extremely hard and would blow up any social media project

The existence of a wide range of Free Code projects implementing Matrix suggests the opposite.

> requires the user to take care of their own keys to not see "Couldn't decrypt message" all the time

There have been UX teething problems. But I haven't had a UtD error since the software I'm using upgraded to the Matrix 2.0 approach.

@markwyner @fembot @mo @FediTips

@Natanox
> for social media websites this would blow the project scope completely out of proportion especially for FOSS projects

I was so surprised by this I forgot to mention the obvious counterexample, the branch of the fediverse that includes Friendica, Hubzilla, and Forte. Federation between some of these use the DFRN/ Zot/ Nomad protocol to do some degree of E2EE on non-public posts. It doesn't seem to cause any more headache than implementing ActivityPub.

@markwyner @fembot @mo @FediTips

Natasha Nox 🇺🇦🇵🇸1d ago

@strypey Hey, I'd be happy to be proven wrong and ActivityPub to just be more lackluster than I expected. 🙂 @markwyner @fembot @mo @FediTips

cleverle 3d ago

@FediTips @markwyner

🤦🏻👍🏻

DJ Bambi (Eoin)3d ago

@FediTips @markwyner Thanks for letting me know!

Mike. 🩼🇨🇦3d ago

@FediTips @markwyner how do they make money off this???

Mark Wyner Won’t Comply

Spam is complicated. Once a person with nefarious intentions has access to a single account from someone, they can use info from that to take myriad other actions.

For example, they can use it to gain access to other accounts that person owns. They can also use the hacked account to impersonate the person, phishing with people the victim knows.

@markwyner @MikeImBack @FediTips But wouldn't the scammer need to know the account's password for this to work? (Or am I missing something?)

Quinn9282 🖥️🌙✌️3d ago

@james @markwyner @MikeImBack @FediTips Nope. Once the victim changes the email address to the scammer's email, the scammers can send a password reset request to that email (that the victim won't see), change the password, and gain access to the account. It's sort of like SIM swapping attacks in a way, but with an email instead of phone numbers.

@Quinn9282 @markwyner @MikeImBack @FediTips Oh yes. I'm half asleep at the moment (or half awake, depending on your outlook on life).

All the more reason to enable 2FA, then!

Mike. 🩼🇨🇦3d ago

@markwyner @FediTips email I can see, but anyone on mastodon that has multiple accounts is not like to fall for phishing scams you'd think...they're just going after the wrong people here

Phillip Upton 3d ago

@FediTips @markwyner

Can non-admins even see the email?

The reason ask is because I use unique emails for different things… and I expect only the admin could see the email I used for mastodon.

Mark Wyner Won’t Comply

Admins/mods can indeed see account email addresses. And IPs. We use those tools to help keep things safe. I believe this is true for most every system where you have an account.

It’s possible there’s a setting that restricts email addresses to only admins, with no mod access. But I’m not sure about that. I just assume all mods have access. But mods are sort of admins in many ways.

kaffando 3d ago

@FediTips @markwyner

I'd like to think that @Mastodon users are more intelligent than to fall for that.... 😂

Mark Wyner Won’t Comply

Well…you’d be surprised how many people get confused about this kind of thing. It’s easy to assume our knowledge/experience is universal, but it’s not. There are a lot of non-tech-savvy folks on Mastodon.

@FediTips @Mastodon

Kazinator 3d ago

@markwyner @kaffando @FediTips @Mastodon

But, but, ... thanks to this e-mail switch campaign, there are now fewer non-tech-savvy accounts on Mastodon.

kaffando 2d ago

@Kazinator @markwyner @FediTips @Mastodon

You don't have to be tech-savvy. Just having a brain is enough 🤩

Natasha Nox 🇺🇦🇵🇸2d ago

@kaffando @Kazinator @markwyner @FediTips @Mastodon Don't say that, scams win eventually simply by being so prevalent. Just browse r/Scams for a while and you'll see posts from IT experts who, contritely, describe how they fucked up and got hacked by a scammer.

Even worse is what happens through a compromised account. If someone would manage to get into my account an LLM trained on my public posts might extort money from many friendly people faster than I could reach our two admins.

❄️SnowyIn🇨🇦❄️2d ago

@kaffando @FediTips @markwyner @Mastodon

I doubt it is a lack of intelligence that is the reason why people fall for scams; some people have a very trusting nature, or are tired/ill or distracted, stressed out and for a moment let their guard down.

I sincerely hope you are never caught off guard like so many intelligent folk.

Re last: If anyone asks you to do that regarding your alovertheplace.ca account, talk to me. I will nuke them and their instance from orbit.

@quanin
> I will nuke them and their instance from orbit

It's the only way to be sure ; )

the bear's den Administration 2d ago

Re last: If anyone asks you to do that regarding your account here on the bear's den, let us know, and we'll take appropriate and swift action.

VulcanTourist 2d ago

@FediTips @markwyner

Something very similar was attempted with me through Steam. That was two or three years ago. I think the perpetrator got what was coming to him, because I reported the incident to all three mediums/platforms he tried to exploit to do it.

thermonuclear small claims 2d ago

@FediTips @markwyner Also, don't feel bad if you fall victim to a scam. There's no shame in it. We're all vulnerable to one type of scam or another, and the biggest protection is accepting that and staying vigilant.

Mark Wyner Won’t Comply

@fullfathomfive

Absolutely. I do see some shaming and disbelief that folks are susceptible. That bothers me. It happens. Thank you for offering this reassurance to people.

@markwyner @fullfathomfive @FediTips I look at the experiences of people like @pluralistic and Troy Hunt as a reminder that any of us can have a bad day and let our guard down. None of us is invincible, and being scammed doesn't mean we're too stupid for Mastodon.
https://pluralistic.net/2025/04/05/troy-hunt/

Pluralistic: How the world’s leading breach expert got phished (05 Apr 2025) – Pluralistic: Daily links from Cory Doctorow

Mark Wyner Won’t Comply

I love reading kind words from kind people more than I can express. Kindness and empathy are salve for the soul.

@fullfathomfive @FediTips @pluralistic

Professor_Stevens 2d ago

@FediTips @markwyner

That is such an obviously bad idea that I wouldn't do it regardless of whether the person asking was a real admin or not.

Frank Heijkamp 2d ago

@FediTips
It is the kind of scam where someone asks you to empty your bank account into theirs in order to keep your money safe. It seems like people still fall for that.
@markwyner

Un Bourguignon 2d ago

@FediTips
👆🏼

Ping @admin .

Une comm en ce sens dans la langue de Molière pourrait être une bonne chose, non ?
@markwyner

Célian Godefroid 2d ago

@un_bourguignon @FediTips @admin @markwyner Bonjour, on fait très régulièrement ce genre de rappels, à chaque fois qu'on voit une vague sur Piaille.

@FediTips @markwyner i guess that at least means the fediverse is now big enough to attract the scammers?

@FediTips @markwyner
Not just for Mastodon, any service that uses email for resetting your password will have people trying this scam.

Don't fall for it anywhere.

And yes, a real admin will be able to change your email and password, etc on their own, so any time someone claiming to be an admin asks you to do that, it's a red flag.