You grab the .torrent file from the source website (Mint, in this case) and it’s safe

Cloudflare masks the origin IP address and has DDoS protection. Unless it’s a DoS against the software, yes, it is a long term solution.

You should change the public IP of the server if you haven’t already

I used https://sub.rehab/ to import my reddit subs. Didn’t do all of them but it’s good enough so far

Good point. I suppose the only way to fix that particular issue to disallow cookie authentications from a new location

Prior to the JWT secret being rotated, yes, they could have authenticated as you. The tokens are now all invalid and useless

Does an admin account have any permissions to view email addresses or data of registered users?

Did MichelleG not have 2FA enabled?

Now that this has happened, it’s be worth pushing this issue through as high priority. If HttpOnly was enabled, then an admin takeover would not have been possible.

https://github.com/LemmyNet/lemmy-ui/issues/1252

Petition to change the lemmy.world logo to Lenny