Wondering if fmhy was hacked like .world Asking this to know if I should change my password.
I don’t believe FMHY was affected. For me, the timeline went:
- I found out about the hack pretty much immediately when it happened
- I immediately hopped into the Lemmy dev matrix channels to get an idea of what was going on
- I crossposted the news of the hack in !technology@lemmy.fmhy.ml about 20 or 30 minutes after it happened
- In the dev channels, right around when I made the post, a couple of users were able to pin down the exact vulnerability and which server the user that perpetrated it originated from. A user (that I won’t name) sent test instructions (that were quickly deleted and I will not share on the off chance that there are servers that don’t know about the vuln and haven’t patched or mitigated) that verified the vulnerability.
- A pull request for the fix was submitted to github (and, from a cursory look at the PR, it closes the hole that was used for the hack solidly) while, simultaneously, a couple of other devs stated that 0.18.1 is not affected by the vulnerability (which I have not taken the time to verify since they’ve already PRed a patch)
For those reasons, I don’t think FMHY was ever at risk because of how quickly it was updated to 0.18.1 coupled with the fact that I don’t think custom emojis are a thing on here. It’s very possible that I am wrong about that because I’m an idiot but I don’t believe there’s anything to worry about.
If I’m going to have an actively unhinged sleep schedule, I figure I might as well put it to good use
It shouldn’t be affected because the issue came down to running custom emojis, which to my knowledge, fmhy does not use.
It never hurts to log out, change password, and back in tho
Also, there’s seems to be no official word from the admins yet.
Edit: official word here!
On the Divolt, Zinklog said he should’ve made a post before they pulled the plug. But the vulnerability seemed scary. Which I can’t blame em for. No other official word to my knowledge though
Oh yes I actually agree with that decision. Better safe than sorry.
But I was worried about the information blackout. I feared the admins got hacked and locked out of the server.
I’m not familiar with Divolt. Can you browse without being registered? If not, maybe we need a more public backup channel? Dunno, maybe on Mastodon or on another Lemmy instance?
Today I even checked the fmhy sub on Reddit but there was nothing there.
Mastodon place for announcement would probably be ideal than another lemmy instance in case a vulnerability that affects them all causes issues.
Sorry. Was finishing my shift at work
I don’t believe so. Divolt is a self hosted instance of Revolt that FMHY uses. And revolt is basically a Open source discord alternative. I started my account there to see if there was any news about it.Though yeah, Mastodon or something might not be a bad idea, but obviously it’s up to the admins on their plans
Fix should come soon, beehaw is already back: https://beehaw.org/post/1039540
