As you may have seen, lemmy.world was recently compromised due to an attacker gaining access to an Administrator account.

This exploit is related to the custom emoji feature, so as a precaution the few custom emoji we had so far have been removed.

As the attack involves hijacking an already logged-in account session, all user sessions have been reset - just in case any possumpat.io account was compromised while we had custom emoji enabled. I apologize for the inconvenience.

I’ll update this post once we know more, and as always if you have any questions let me know.

Edit: For those interested in the technical details, this github thread details the vulnerability and ongoing efforts to mitigate it.

Edit: lemmy.world’s post on the hack.

Edit: Exploit has been patched, will re-enable custom emoji soon.

  • michael
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    Thank you for responding so quickly and taking such precautions!