• DMs - this is an issue, but as I say you shouldn’t be chatting on Mastadon if you want your conversations to be private. Move the conversation elsewhere.
• Email addresses - might be an issue, but only if you’re using an email you shouldn’t be and linking accounts/online personas together when you want them separate.
• Logins - publicly available. Passwords were secure.
• IPs - always gonna be available to the instance or website you’re using. If you don’t want the instance to know your home IP, there are a number of things you could be doing to mask this.

It’s really only the DMs that have some level of concern. IPs and email addresses might give the FBI a lead, however only if you aren’t covering yourself properly. Eg one of the darkweb marketplaces sent a welcome email to new users with a reply to email for the admin’s personal gmail - this was used to identify him as he used the same email on LinkedIn.

What happened here isn’t great, but with federated social media it should be immediately obvious that things are not private nor massively secure, and users should take that in account when registering for and using the service. This article doesn’t prove any new faults with federated services that weren’t already a given.