Mastodon says its primary public instance, mastodon.social, was targeted by a DDoS attack on 20 April 2026, causing intermittent outages and rendering the service inaccessible for some users. The incident follows the recent prolonged DDoS attack against Bluesky, another decentralised social network.
According to public updates, the incident was identified at around 7:00 a.m. ET, when Mastodon said it was investigating the attack. By 9:05 a.m. ET, the organisation said countermeasures had been deployed, and site access had been restored, while warning that instability could continue as the attack remained active.
Service disruption limited to mastodon.social
During the incident, users reported error messages and full-screen outage warnings when attempting to access mastodon.social.
Mastodon later said the traffic pattern involved millions of malicious requests consistent with a DDoS attack. The company added that, so far, only mastodon.social had been targeted.
This distinction is important because Mastodon operates as a federated network of independent servers rather than a single centralised platform. While the flagship instance experienced disruption, other Mastodon servers and compatible Fediverse services remained operational.
Access restored while the wider network remained unaffected
Mastodon said countermeasures restored access to mastodon.social within a couple of hours of the attack starting, although some instability could continue while mitigation efforts remained in place.
The disruption was limited to mastodon.social. Other Mastodon instances and compatible Fediverse services remained operational, allowing users outside the affected server to continue reading, posting and interacting normally.
