#Lemmy wurde heute Nacht #gehackt und es wurden Daten manipuliert. Der Fehler wurde durch die Entwic…
#Lemmy wurde heute Nacht #gehackt und es wurden Daten manipuliert. Der Fehler wurde durch die Entwickler behoben. Wer eine Lemmy Instanz betreibt, sollte daher kurzfristig ein #Update planen.
♲ Ruud (ruud@lemmy.world)2023-07-10 07:04:14:
Lemmy.world (and some others) were hacked
While I was asleep, apparently the site was hacked. Luckily, (big) part of the lemmy.world team is in US, and some early birds in EU also helped mitigate this.
As I am told, this was the issue:
- There is an vulnerability which was exploited
- Several people had their JWT cookies leaked, including at least one admin
- Attackers started changing site settings and posting fake announcements etc
Our mitigations:
- We removed the vulnerability
- Deleted all comments and private messages that contained the exploit
- Rotated JWT secret which invalidated all existing cookies
The vulnerability will be fixed by the Lemmy devs.
Because not all instances are aware, we will not go into detail on the vulnerability yet.
We’re still investigating further into the results of the hack
Many thanks for all that helped, and sorry for any inconvenience caused!