This post explains the incident well but long story short some hackers were able to compromise user and admin accounts through stolen authentication cookies on some instances.

Before things were clear on exactly how this happened, we pulled the plug on our instance to mitigate the risk. We probabaly should have hastily wrote an announcment post before doing that but the situation seemed critical so we didn’t want to waste any time.

Few hours later, people were able to figure out the issue and promptly fix it. Turns out this vulnerabilty could only be exploited if an instance had custom emojis which thankfully ours didn’t, so users using this instance should be safe from the hack. lemmy.fmhy.ml now runs on v18.2rc which has fixed this vuln to be extra secure.

Sorry for the downtime and we will try to communicate the problem better in the future.

P.S. After somone mentioned exploding-heads on a recent post and why we are still federated with it, we took some time to view it carefully and decided it’s an instance that systematically breaks our rules and to defederate with it. We will shortly post our defederation policy soon to give a better idea on how we will decide on which instance to defederate from moving forward.

  • sudo@lemmy.fmhy.ml
    link
    fedilink
    arrow-up
    37
    ·
    1 year ago

    Appreciate your proactive measures and quickly getting the server up again and patched. Also thanks to all of the admins for their hard work going into the server!

    I support the decision regarding exploding heads.

    Related… Has fmhy also blocked Meta/threads? While I don’t think we should be like Beehaw over here, there are certain places that deserve defederation and Meta/corporate interests are at the top of that list for me.

    • zinklog@lemmy.fmhy.mlOPM
      link
      fedilink
      arrow-up
      35
      ·
      edit-2
      1 year ago

      Right now it’s not even mastodon compatible let alone lemmy. There are some arguments on how federating with them will allow people to migrate to a more privacy respecting instance and still view threads content, and some users say this will allow them to still communicate with their friends who don’t want to switch away from threads.

      So while we do lean towards defederating from it, it’s some months away before we need to actually decide and till then we are simply listening to and discussing both sides of the argument.