If you don’t have 2FA active on Bluesky, turn it on NOW.

There’s an ongoing attack taking over accounts and spamming with links, which seems to add an “app password” for access externally. Already had one friend’s account compromised and I’m seeing others.

March 28, 2026 - 00:22 UTC

45
72
1310
I hate 2FA but am following your advice for now. I've been locked out of accounts b/c they had been linked to a cell phone that was no longer in use.
1
0
9
Bluesky only does email 2FA
0
0
5
Guide for 2FA for Bluesky?
0
0
0
I’d already turned 2FA on. What’s this about someone adding app passwords that I never added? I’ve none at the moment, can an attacker add some?
1
0
0
I would imagine they need to actually hack you first.

The number one way to protect yourself online is to be extremely cautious about what you click on since most hackers work via social engineering rather than brute force attacks. Don't blindly trust your mutuals sending links to you, verify first
0
0
2
Thanks for the heads up. I recently had an Instagram account (not my main one) hacked - and they won't let me back in because my face doesn't match the profile image (the hacker changed the image to some random dude - and it never had a face before that anyway).
1
0
1
That's... just stupid? Not everyone uses Instagram for personal photos. Mine has just drawings for example, how would I prove to them that the anime chibi in the pfp is me?
1
0
1
Thank you!
0
0
0
As much as I’d love to, Bluesky’s lack of one-time passwords and/or passkeys — the former *at the very least* — is a deal killer. Their security stack can’t be that outdated, right…?
0
0
13
There's a paypal scam going around with a 0.01 payment to your account and a fake number to call if you don't recognize it. The problem is, the email comes from paypal, so it seems official. If you get a 0.01 payment on Paypal IGNORE IT. The scam only works if you react.
1
1
23
woohoo free digital pennies
0
0
11
Done, thank you
0
0
0
Thank you!
0
0
0
I'm accessing via Firefox dont know if this affects users like me, but now I found out there is a 2FA, I'll quite happily turn it on...

My Log-in is a single screen, if another screen should pop up I'd be bloody suspicious, but rather safe than sad...
0
0
0
Guess I shouldn’t have made my password “12345”.
1
0
1
Oh hey I'm in your luggage now, President Skroob.
0
0
1
Just followed your advice after realizing that I didn't have enabled it for no good reason!
1
0
4
Hopefully that solves that!
0
0
1
Thanks for the heads up!
0
0
0
Just turn it on. Thank you for the heads up!
0
0
0
Done
0
0
0
Just turned it on. I had to check which email address I was using for BS. lol
0
0
1
On the plus side, some hacker group thinks Bluesky accounts are worth the time and resources to compromise
1
0
90
Probably some of the leftover DOGEsh*t boys doing Trump's bidding. I wondered how long it would take them.
0
0
8
Done but 2FA is a major pain for someone who religiously clears their browsing history. Have to keep my phone next to my laptop always.
0
0
1
My unpopular opinion: 2FA is a pain in the ass that is more likely to permanently lock you out of your own accounts than keep out scammers.
3
0
30
the constant stream of messages from services requesting login confirmations from me because of hackers running into the 2FA wall indicates otherwise for me
1
0
17
I used to think that. Today, I would say it heavily depends on implementation and user habits. Specifically, modern and secure account management relies on our devices remaining available. Steal, burn or fry ALL my hardware at once and I am effectively locked out of virtually all my online accounts.
1
0
2
Being locked out of BlueSky might not be a net negative
0
0
0
🥹👍
0
0
0
If you don’t have 2FA active on everything. Turn it on now.
0
0
26
Thanks for mentioning this. I was wondering ...

bsky.app/profile/bjkeefe.bsky.social/post/3mi3fzsmhrk23
0
0
1
Done
0
0
0
Does Bluesky not support anything other than email 2FA?
3
0
18
nope. only e-mail rn. and it had none at all at launch. not a great security situation imo.
1
0
18
weird that I can’t use something like google authenticator.
0
0
7
Nope fucking joke
0
0
1
how? oldie here
1
0
7
Menu, settings, privacy and security
1
0
19
Good callout, didn't know it had that option.
0
0
1
Thank you, sir.
1
0
0
So annoying to have to deal with that. 2FA should be mandatory.
1
0
3
I see they still don't have support for an authenticator app or even sms :\
1
0
8
Yeah, the lack of support for an authenticator app is absolutely ridiculous.
0
0
4
Thank you for this
0
0
0
@musicologyduck.bsky.social fyi
0
0
0
Thanks!
0
0
0
Oh wow, I thought I already had that enabled here but I guess not. Appreciate ya 🫡
0
0
0
Hacking a phone is much simpler for ICE. Just few clicks in "Israeli" hacking software
0
0
0
Do I have to actually be on a Bluesky PDS to enable 2FA?
6
1
32
@mackuba.eu has been begging them to patch the public PDS code, to as yet no result
1
0
5
bluesky didn't expect anyone to use other PDS's so im going to say they didn't expect anyone to use 2FA
1
0
28
You need to add @baileytownsend.dev's Gatekeeper
0
0
9
No. You need your PDS to support 2FA.
0
0
1
I have MFA enabled on blacksky.social so at least that PDS allows it. It could be that it’s just offline (perhaps bc of the attacks)
0
0
2
It's working for me on blacksky.
0
0
2
What does the 2FA do exactly?
2
0
0
makes it so when you try to log in, you get a code another way that you have to supply. that way if your password is compromised, someone still can’t get in.
0
0
3
It’s a secondary layer of protection for log ins to your account
0
0
0
Done—thanks!
0
0
0
@bsky.app what the heck why don’t you have authenticator support? At least it’s not text messages but dang.
0
0
3
So these accounts are being taken over by weak password guessing? Or a deeper exploit of Bsky?
1
0
6
bsky.app/profile/safety.bsky.app/post/3m5mhtiz33c2b
0
0
5
Already had it enabled from the get go but did double check just in case. Thanks for the heads up!
0
0
0
Thanks Jason! Enabled…
0
0
0
E-Mail 2FA is better than nothing, but they need to finally implement TOTP.
0
0
0
Have now enabled 2FA.
0
0
0
Been activated two years ago
0
0
0
is the attack limited to app users? i only use it on a browser.
1
0
0
I only use browser and I think I was targeted
0
0
1