Your instance admins know basically everything. They won’t know the password you use since the software shouldn’t be storing that in plaintext. But your activity is pretty clear to them. They can see how you upvote, what you subscribe to, and probably also the IP you connect from.

Why is everyone saying passwords are encrypted? I thought they were hashed?

Logging depends on the instance. Many admins choose to not log any data which could be used to identify any individual, but verifying their claims (without a doubt) as a single user is pretty much impossible and there’s nothing stopping an instance admin of gathering all the data (s)he wants to.

Like are they protected or encrypted so the hackers can’t use them ?

Passwords are encrypted, but in case of a security breach on an instance they are still vulnerable, like with any other password leak. Majority of the systems today use one way encryption with their passwords, but still millions and millions of user accounts are leaked almost daily.

Also what is stoping the instance owners from abusing or selling these behind our back ?

Nothing.

or running a modded version of lemmy are they detectable ?

If done properly, no, you can’t detect them.

But that’s not any different from any of the services around the net. Companies like Meta and Google make their money by selling user data, advertisers track you and all the other things you’re most likely already aware of.

Administrator of my instance said that they don’t gather IP addresses or any other data they don’t need to keep the servers running and I trust them on that, but your mileage may vary. And then there’s different legal systems around the world where an admin might be forced to give out information about individual user, but where I live that’s not a thing.

Use a VPN, use a unique password, don’t register with an email, and don’t post personally identifiable information.