2y ago

did fmhy was hacked like .world

Wondering if fmhy was hacked like .world Asking this to know if I should change my password.

27 comments

I don't believe FMHY was affected. For me, the timeline went:
I found out about the hack pretty much immediately when it happened
I immediately hopped into the Lemmy dev matrix channels to get an idea of what was going on
I crossposted the news of the hack in !technology@lemmy.fmhy.ml about 20 or 30 minutes after it happened
In the dev channels, right around when I made the post, a couple of users were able to pin down the exact vulnerability and which server the user that perpetrated it originated from. A user (that I won't name) sent test instructions (that were quickly deleted and I will not share on the off chance that there are servers that don't know about the vuln and haven't patched or mitigated) that verified the vulnerability.
A pull request for the fix was submitted to github (and, from a cursory look at the PR, it closes the hole that was used for the hack solidly) while, simultaneously, a couple of other devs stated that 0.18.1 is not affected by the vulnerability (which I have not taken the time to verify since they've already PRed a patch)
For those reasons, I don't think FMHY was ever at risk because of how quickly it was updated to 0.18.1 coupled with the fact that I don't think custom emojis are a thing on here. It's very possible that I am wrong about that because I'm an idiot but I don't believe there's anything to worry about.
- Thanks for the detail answer
  
  If I'm going to have an actively unhinged sleep schedule, I figure I might as well put it to good use
It shouldn’t be affected because the issue came down to running custom emojis, which to my knowledge, fmhy does not use.
It never hurts to log out, change password, and back in tho
- Thanks for your reply
  
  Anytime! I went to school for cybersecurity so any other questions feel free to let me know. Granted I’m still very much of an amateur/apprentice.
Also, there's seems to be no official word from the admins yet.
Edit: official word here!
- On the Divolt, Zinklog said he should've made a post before they pulled the plug. But the vulnerability seemed scary. Which I can't blame em for. No other official word to my knowledge though
  
  Oh yes I actually agree with that decision. Better safe than sorry.
  But I was worried about the information blackout. I feared the admins got hacked and locked out of the server.
  I'm not familiar with Divolt. Can you browse without being registered? If not, maybe we need a more public backup channel? Dunno, maybe on Mastodon or on another Lemmy instance?
  Today I even checked the fmhy sub on Reddit but there was nothing there.
Fix should come soon, beehaw is already back: https://beehaw.org/post/1039540

27 comments