Hexbear was a victim of a targeted XSS attack similar to the attack many other Lemmy instances have seen.
The account that first leveraged the attack was registered on 2023-07-10 at 03:58 UTC, the fix for the vulnerability was applied by around 04:35 UTC. This leaves a ~40 minute window in which anyone browsing the site could have had their account hijacked.
The attacker was able to act (post, comment, DM) as the account they hijacked. They will also have been able to view/use the compromised account’s settings page. This means they will have been able to see users’ email addresses. Some accounts that were compromised were temporarily banned, these bans have now been lifted.
If you were using the site during the above time window, please double check your account settings to see if anything was changed.
Passwords were not stolen, JWTs were. We have just invalidated all old JWTs so the attacker no longer has access to the hijacked accounts (this is why all users have been logged out).
Just to let you know, anything cringy I post from now on is actually just because I got hijacked
Was here the whole time.
Did not even notice, I figured it simply hadn’t worked or hexbear hadn’t been targeted because it’s not federated or in lists. Handled extremely smoothly compared to other instances.
This actually gives at least some idea about how they went about certain things. Whatever list of lemmy sites they used had to include Hexbear. They didn’t just use federated instance lists.
One of our devs was online at the time and patched it very quickly, and seemingly no admin accounts were hijacked, so all they could do was normal wrecker shit.
We have the finest devs, folks. Many people are saying this
How international are the devs and admins? I don’t expect them to be on 24/7 but it would be good if the regions were diversified so someone would be notified while the other is sleeping
Excited for the torrent of people that are locked out of their account because they don’t use a password manager.
This is an important milestone, as everyone was finally logged out for a reason other than something I did
to our big beautiful admin team for the quick fix.
