You probably seen around a dozen posts today about lemmy.world getting pwned, so I’m not going to rehash things.

Fortunately we have a lot of active devs at all times now, so the issue was quickly identified and fixed. This means a new UI release is out, which I’ve just deployed.

For those wondering, this instance wasn’t affected. Even though we had custom emoji, it required a local account to exploit. I don’t know if the attacker was discouraged by our registration application form or applied and got denied, but thankfully I didn’t wake up to a clusterfuck :D

That is to say, your accounts in lemmy.dbzer0.com weren’t at danger, even if the problem comments were federated over. This exploit targeted instance admins and aimed at some good ole defacing and chaos monkey shit. It’s like we’re back in the late 90s!

However you advised to keep proper hygiene in your lemmy experience, in this server as well. This particular exploit didn’t steal passwords but it could have theoretically given the attacker access to your lemmy inbox. The lemmy PMs should not be considered secure in any way. Not only could an attacker compromise you and get access to your inbox, but a malicious admin with root access can just straight up read everything in the DB directly. So don’t put anything important in there! That’s why we have matrix!

Hopefully more thorough patches will be applied soon as well.