What happened?
Due to a vulnerability in lemmy-ui, an attacker was able to steal authentication tokens (not passwords, but same consequences in this case) from lemmy users in certain circumstances allowing them to effectively impersonate those users access.
The attacker was able to get tokens for admin accounts for lemmy.world and blahaj.zone and deface the sites.
Anyone that accessed those instances using the web (supposedly, most third party apps did not show defaced content) were greeted with nasty things until the instance owners were able to reverse the damage and remove the attackers access.
Is my instance vulnerable?
Only if you have custom emojis enabled. We think.
Is there a fix?
The offending code has been identified and those changes are in the repository. There is no stable release as of posting this, but release 0.18.2-rc.2 contains the fix.
Here is the detailed write-up for admins on what’s best to do! Following this advice is your best course of action, along with communicating with your users, IMO.
My users info?
Probably safe to assume it is all compromised even if you’re site did not get defaced, or even if it didn’t use custom emojis. There is some work being done to detect if any users tokens were taken.
Ironically, the hashing used to store users passwords is about as robust as you can make a modern application. Clear-text passwords are very likely not at risk.
How did this happen?
There are about 50 different wider discussions about this right now. Here are some of the most relevant:
- https://akkoma.nrd.li/notice/AXXhAVF7N5ZH1V972W
- https://github.com/LemmyNet/lemmy-ui/issues/1895
- https://sh.itjust.works/post/923025
- https://lemmy.world/post/1299831
What about my VPS, server?
It is very unlikely this particular attack led to root compromise of the underlying software. No admin has come forward from this event claiming anything more than compromised admin credentials and unease about how long an attacker may have been able to gather users tokens and for what purpose.
GDPR, etc?
Your legal (agreed to, or jurisdictionally) responsibilities and liability are outside the scope of any group of admins. Talk to a real lawyer / solicitor. I am not being funny. This is the one and only recommendation if you are worried or concerned about this.
See https://lemmyadmin.site/post/2 for mitigation steps.