Hexbear was a victim of a targeted XSS attack similar to the attack many other Lemmy instances have seen.
The account that first leveraged the attack was registered on 2023-07-10 at 03:58 UTC, the fix for the vulnerability was applied by around 04:35 UTC. This leaves a ~40 minute window in which anyone browsing the site could have had their account hijacked.
The attacker was able to act (post, comment, DM) as the account they hijacked. They will also have been able to view/use the compromised account's settings page. This means they will have been able to see users' email addresses. Some accounts that were compromised were temporarily banned, these bans have now been lifted.
If you were using the site during the above time window, please double check your account settings to see if anything was changed.
Passwords were not stolen, JWTs were. We have just invalidated all old JWTs so the attacker no longer has access to the hijacked accounts (this is why all users have been logged out).
Glad the damage has been minimal. Once the login issue is resolved we should make a pinned thread so everybody who was logged out can be made aware that they can log back in, as I am sure many people now are experiencing the same login issues that began during the site updates of the past few weeks. (this account is the 4th I have made in that time, all others can not log in on any device or browser)
I've been seeing these messages periodically and don't know how to handle this issue as we haven't been able to replicate the issue locally at all. Would you (or anyone else experiencing login issues) be willing to hop on Matrix or DM, or whatever works for you to try some troubleshooting steps with me or a member of the dev team?
I believe our prime suspect is a cookie that's not getting cleared, but there are some other things I'd love to check.
Hi, when both manually typing and also pasting (not very safe i know but i had to know if it was a user error when inputting it) my new password when attempting to log into my account from a different browser (caches cleared, history cleared in this new browser) after switching my original password after the forced logout, I also experienced the spinning bear.
I went back to the other browser where I'm still logged in to change passwords a second time, and after pasting my recently changed password, the new password change went through and I was then able login from another browser. I wouldn't have been able to switch my second password another time if I had an incorrectly recorded password, so I believe for quite a few users that are unable to login (including one friend who I communicate off-site with), they are experiencing issues with their account logins that doesn't originate with user input errors or with uncleared caches. Very glad to have my account logged in to at least one other browser else I'd be perma-locked out of my account due to the dreaded spinning bear, prompted me to create a burner email to prevent a logout + spinning bear situation in the future.
E: Please let me know if I can assist in some way with this issue and thanks again for you and other devs and admins' work on our beautiful bear site.
hmmm if it's a failed password change there likely isn't much the admins can do.
input of the old password led to the spinning bear earlier on a non-logged in browser, while the same old password was successful when confirming a new password change in settings on a different browser where I am logged on to the website, it's not the old password itself that's an issue but something that has to be with the process of logging in, else I would not have been able to change my password on the browser I'm still logged in on
ohhhh gotcha
if you can still reproduce the problem on that other browser I'd check for things like cookies and cached service workers and stuff... (if it's firefox, ctrl-shift-e and then go to the storage tab to look at cookies. Things like the domain, expiration date, and settings like httponly, secure, samesite should be innocuous to share but potentially useful to infer if it's an old stuck cookie, or using the wrong domain, etc)
Yes I actually need to get on the Matrix anyway since I am a mod as well! Send me a DM with what to do