Kolektiva.social, an anti-colonial anarchist collective that offers a social media platform for anarchists through Mastodon, has suffered a data breach that potentially exposed the sensitive details of its 7,800 members.
Mastodon is a popular alternative for the Twitter platform, featuring micro-blogging options, hashtags, mentions, and the equivalent of tweets, named “toots.” Mastodon is decentralized and recently gained popularity following multiple experience-degrading changes enforced by Twitter’s new owner, Elon Musk, including usage restrictions, content access limitations, and loss of user trust in the platform.
However, as RestorePrivacy highlighted in a November 2022 post covering Mastadon privacy issues, the platform has its own caveats when it comes to privacy protection, as its reliance on private servers that host “Instances” like Kolektiva means that those volunteering the servers are responsible for safeguarding the users’ data. This data includes email addresses, IP addresses, browser metadata, and cleartext direct messages exchanged between community members.
FBI Holds Cleartext Data
An announcement posted by the community’s creators on Mastodon explains that one of the administrators was raided in mid-May 2023 as part of an investigation on an unrelated matter, and the law enforcement agency sized all electronics on the location.
At that time, the admin was working on a database backup while attempting to troubleshoot an issue, and that database was seized during the raid. Although all Kolektiva.social data is encrypted on the server, the admin was working on the database in an unencrypted state, which means that the FBI now holds cleartext data.
The seized database includes the following user information:
- User account information like the email address associated with the account, followers, and follows,
- All user posts: public, unlisted, followers-only,
- Direct messages with other users,
- IP addresses associated with the accounts,
- A hashed version of the users’ passwords.
On the matter of IP addresses, which is a sensitive data element, the announcement clarifies that Kolektiva.social only keeps those of users who logged into the Mastodon instance in the last three days.
All users of Kolektiva.social are recommended to reset their passwords immediately out of an abundance of caution, even though their passwords have not been compromised. Hashing is a weak form of encryption based on algorithm-powered plain text scrambling and does not involve an encryption key or other robust data protection mechanisms. Hence, the FBI can easily decrypt the users’ hashed passwords if needed.
“In hindsight, it was obviously a mistake to leave a copy of the database in an unencrypted state. Unfortunately, what would otherwise have been a small mistake happened to coincide with a raid, due to bad luck and spectacularly bad timing.”Kolectiva.social admin
This incident has not impacted Kolectiva’s actual live servers, so no other data besides what was included in the exposed database has been compromised, assures the statement.
Anarchist movements generally face heightened scrutiny from the authorities due to their anti-systemic stance, so the exposure of Kolectiva’s database causes significant harm to the privacy of its members and creates the basis for follow-up action like digital monitoring, targeted legal interventions, allegations, and even detentions.
This incident also serves as a good reminder to all Mastodon users on the extent of control instance administrators hold over their data. The decentralized nature of Mastodon entails entrusting sensitive data to potentially unvetted server operators, who can access, misuse, or, as in this case, fail to protect that data. Hence, it is crucial for users to be mindful of the information they share on the platform and to consider it as public data.