Also be wary when using apps and especially when enabling push notifications. Lemmy API currently lacks any kind of support for partial access to an account (unless this has changed recently). So, apps cannot, for example, get read only access to your account’s inbox. Apps can get either no access or full access. When you sign up for push notifications, an authentication token is stored to the push notification server which gives full access to your account to who ever happens to get their hand on that token. If there, for example, happens to be a security vulnerability on the push notification server, it might leak those tokens.
If you have enabled push notifications on some Lemmy app, and want to invalidate the token, you can just change your password.
Here’s a post by Memmy for Lemmy’s developer about push notifications: https://lemmy.ml/post/1534493
Does plus addresses help circumvent that? I think most email providers supports plus addressing (also known as sub-addressing). You can add plus sign and any string before the at sign. For example:
youremail+lemmyaccount1@email.com
. The string between plus and at signs can be anything, and all these addresses points to your normal inbox with the added benefit that you can filter them into different folders.PS. Lemmy version 0.18.2 was released today. It fixes the vulnerability and has some other improvements as well.