EDIT: I'm putting this up front so it's the FIRST thing you see and read: I WAS WRONG I ASSUMED (and I know better) that it wasn't possible for me to have 3000 accounts created within a day or two of going live. I ASSUMED what I saw was accounts that were NOT local, I WAS WRONG I created a process to remove the bot accounts from my database without crashing my site. I have tested and it looks like all functions are working. If you need help because you suddenly have thousands more accounts than you would suspect ask me for the procedure. I'll gladly provide it.
I was able to identify bot accounts by looking at creation times. They accounts are grouped by "batches" where the account creation times are within seconds of each other. That's not typically going to happen with random humans creating accounts.
I used a tool to see how many users my site had. Once I saw the count was larger than expected, I wondered who these users were. I checked the database table and saw a huge list. I know for a fact that all these users are not on my instance. I was able to confirm that the database includes email address and password hash. This SHOULD mean that if someone tries to login, and their authentication information is sitting in my database, they can login at my site locally, correct? I only ask because I did not find an entry anywhere that lists a “home” instance for them to log in to. Am I correct in understanding that accounts are distributed like communities are?
People from different instances are not able to login on your instance. For example you might see me in the people table, but local should be false. People registered on your instance shows up on local_users and on people with local set to true.
There have been mass registrations going on recently. Imagine my surprise when my 3 people instance had 460 users but no one online today. Took my instance down to investigate and deleted all local users in person table except the known users. Not the cleanest way to do it but I don't think I broke anything :D
I think it's actually pretty clean. Thanks to the references on the
person
table all related entries in the database like posts, comments, etc. also get deleted if there are any. It's better than banning all those fake users and thereby spamming the modlog of all instances that federate with you 😅That reminds me of an incident we had.
On of our customers sites suddenly had hundred's of new signups.
It turns out a hacker tried to fuzz the site,
and since there was no captcha/spam protection in the signup form he created hundred's of accounts.
I created a process to remove the bot accounts from my database without crashing my site. I have tested and it looks like all functions are working. If you need help because you suddenly have thousands more accounts than you would suspect ask me for the procedure. I'll gladly provide it.
I was able to identify bot accounts by looking at creation times. They accounts are grouped by "batches" where the account creation times are within seconds of each other. That's not typically going to happen with random humans creating accounts.
Dont worry, it happened years ago.
I wouldn't be taking about that kind of stuff if it was ongoing or recent.